[security] Open Redirector issue with checkid_immediate
David Recordon
david at sixapart.com
Tue Jun 9 17:45:18 UTC 2009
We actually just use Google for this, via URLs like http://www.google.com/url?sa=D&q=http%3A%2F%2Fseleniumhq.org%2F
.
--David
On Jun 8, 2009, at 10:00 PM, Allen Tom wrote:
> SitG Admin wrote:
>>
>> It could also detect people who are browsing through proxies (or
>> modified browsers) to strip the referer information for their
>> privacy.
>>
> Many organizations run proxies to strip the referrer from outgoing
> requests because of privacy issues.
>
> Also, checking that the referrer's domain matches the return_to
> could be problematic for RPs that run multiple domains, but have a
> centralized OpenID RP service. Another problematic scenario is where
> the RP integrates with a 3rd party to implement OpenID
> authentication, such as Janrain's RPX or Google Friend Connect.
>
> Allen
>
> _______________________________________________
> security mailing list
> security at openid.net
> http://openid.net/mailman/listinfo/security
More information about the security
mailing list