[security] Open Redirector issue with checkid_immediate
SitG Admin
sysadmin at shadowsinthegarden.com
Tue Jun 9 02:26:10 UTC 2009
>If his is used on a web site it seems like a lot of trouble to go
>to. They are all ready on a bad site.
If the site is bad, couldn't it also be sending the user's browser a
script to spoof referer?
>I suspect the major threat is from email links. In that case there
>would be no referrer and the OP could detect that.
It could also detect people who are browsing through proxies (or
modified browsers) to strip the referer information for their privacy.
"Hi, we've detected that your privacy settings prevent our software
from working. To continue using OpenID, please follow these
instructions to reduce your privacy on the internet."
-Shade
More information about the security
mailing list