Popup flow
Allen Tom
atom at yahoo-inc.com
Tue Sep 22 00:50:09 UTC 2009
Hi Darren,
I am not aware of any OAuth SPs which condone having their
Login/Approval pages framed by a 3rd party website. If the site embeds
the SP's Login screen, the user has no way of telling if they're being
phished.
The OpenID Popup Extension requires the RP to open the popup window with
the Address Bar clearly displayed, and explictly forbids the OP's
Login/Approval screen from being framed. Given that the address bar is
displayed, the security properties of the popup window are identical to
the browser redirect.
Allen
Darren Bounds wrote:
> I find it curious that these compromises have been embraced by the
> OAuth community to support a greater UX but they are not being
> embraced by OpenID. After all, isn't an iPhone UIWebView control just
> a different type of iFrame? You're still trusting parent application
> not to do something malicious.
>
More information about the user-experience
mailing list