Some implementations don't process the HEAD element correctly
SitG Admin
sysadmin at shadowsinthegarden.com
Wed Aug 26 13:33:08 UTC 2009
>Maybe the spec should carry an informative note to implementors to point out
>that the HEAD element does not necessarily have any textual representation in
>the HTML source?
>
>Comments?
See the general archives for a thread between the 9th and 10th of
this month about outsourcing headers: restricting the scan for OpenID
headers to this "HEAD" area (*before* the "BODY" starts") is actually
*desirable* behavior, since it would prevent Identity theft from
injecting HTML in embedded comments, guestbooks, basically anything
that is dynamically generated server-side rather than linked to
within the page (like CSS).
The advisory for security should carry a note to implementors about
this, pointing out that the attack works even in the absence of users
(or servers) not actively supporting OpenID; permitting the theft of
Identity victims never even realized they had would not be a good PR
achievement for OpenID.
-Shade
More information about the specs
mailing list