[security] Open Redirector issue with checkid_immediate
Allen Tom
atom at yahoo-inc.com
Tue Jun 9 05:00:33 UTC 2009
SitG Admin wrote:
>
> It could also detect people who are browsing through proxies (or
> modified browsers) to strip the referer information for their privacy.
>
Many organizations run proxies to strip the referrer from outgoing
requests because of privacy issues.
Also, checking that the referrer's domain matches the return_to could
be problematic for RPs that run multiple domains, but have a centralized
OpenID RP service. Another problematic scenario is where the RP
integrates with a 3rd party to implement OpenID authentication, such as
Janrain's RPX or Google Friend Connect.
Allen
More information about the security
mailing list