Popup flow
Steven Livingstone-Perez
weblivz at hotmail.com
Tue Sep 22 08:16:07 UTC 2009
A question. When a popup blocker stops a window popping up does it do some
based on the target domain or the host domain?
In other words if the popup gets blocked every time an RP requests
authentication to a given OP then that could really be a usability issue.
However if the user just needs to accept this the once and the target domain
(OP) popup is trusted then that would be fine i'd think. In either case some
usability studies would be interesting.
It just pains me to think of my mum sitting wondering why she can't log into
MumsRUs because the popup isn't being displayed and me having to tell her to
enable it each time on the popup blocker.
steven
http://livz.org
--------------------------------------------------
From: "Allen Tom" <atom at yahoo-inc.com>
Sent: Tuesday, September 22, 2009 1:50 AM
To: "OpenID user experience" <openid-user-experience at lists.openid.net>
Subject: Re: Popup flow
> Hi Darren,
>
> I am not aware of any OAuth SPs which condone having their Login/Approval
> pages framed by a 3rd party website. If the site embeds the SP's Login
> screen, the user has no way of telling if they're being phished.
>
> The OpenID Popup Extension requires the RP to open the popup window with
> the Address Bar clearly displayed, and explictly forbids the OP's
> Login/Approval screen from being framed. Given that the address bar is
> displayed, the security properties of the popup window are identical to
> the browser redirect.
>
> Allen
>
> Darren Bounds wrote:
>> I find it curious that these compromises have been embraced by the
>> OAuth community to support a greater UX but they are not being
>> embraced by OpenID. After all, isn't an iPhone UIWebView control just
>> a different type of iFrame? You're still trusting parent application
>> not to do something malicious.
>>
>
> _______________________________________________
> user-experience mailing list
> user-experience at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-user-experience
>
More information about the user-experience
mailing list