<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Shade - are you asking about HTML based discovery? <br>
<br>
HTML based discovery definitely is great for usability, since the only
requirement is that the user is able to edit the html on the OpenID
page, rather than having to configure their webserver to return the
special X-XRDS-Location HTTP header. In a webhosting environment, the
user might not have the ability or even the knowledge to configure
their webserver.<br>
<br>
Unfortunately, from a security perspective, HTML based discovery has a
lot of problems. If the content of the page is dynamically generated
from untrusted inputs (for instance, the OpenID URL is a profile page
with a Guestbook), an attacker might be able to insert OpenID discovery
information into the page. Another problem is that the entire page
needs to be downloaded in order to parse it, which is problematic since
many pages are very heavyweight.<br>
<br>
Allen<br>
<br>
Nat Sakimura wrote:
<blockquote
cite="mid:bf26e2340908091653p7db1ad34ufd6f5b55aeef1c36@mail.gmail.com"
type="cite">That's actually host meta, I suppose. <br>
<br>
=nat<br>
<br>
<div class="gmail_quote">On Mon, Aug 10, 2009 at 7:54 AM, SitG Admin <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:sysadmin@shadowsinthegarden.com">sysadmin@shadowsinthegarden.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Not
all sites allow users to fully customize their headers on the Profile
page, but some do allow the user to specify other external files (such
as CSS), containing expected data. This would be an awkward
compatibility hack (and I'm not sure how many sites it would even help
with), but what do you all think of an extension to the Discovery
process allowing RP's to check other external files for comments
containing OpenID declarations?<br>
<br>
-Shade<br>
_______________________________________________<br>
general mailing list<br>
<a moz-do-not-send="true" href="mailto:general@lists.openid.net"
target="_blank">general@lists.openid.net</a><br>
<a moz-do-not-send="true"
href="http://lists.openid.net/mailman/listinfo/openid-general"
target="_blank">http://lists.openid.net/mailman/listinfo/openid-general</a><br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
Nat Sakimura (=nat)<br>
<a moz-do-not-send="true" href="http://www.sakimura.org/en/">http://www.sakimura.org/en/</a><br>
<pre wrap="">
<hr size="4" width="90%">
_______________________________________________
general mailing list
<a class="moz-txt-link-abbreviated" href="mailto:general@lists.openid.net">general@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-general">http://lists.openid.net/mailman/listinfo/openid-general</a>
</pre>
</blockquote>
<br>
</body>
</html>