Popup flow

Chris Messina chris.messina at gmail.com
Tue Sep 22 16:16:41 UTC 2009


That's a good question and warrants wider study.
I would think that the blocking behavior would be based on the window opener
code in JavaScript (and Flash), but if they have a more aggressive popup
blocker, then perhaps it's based on certain hosts.

That said, unless your mom is uber technical and running her own OpenID — it
seems unlikely that the big OpenID providers would be blocked. Additionally,
if an OP doesn't support the popup flow, then the full window redirect is
the fallback... perhaps we just need to have a recommendation that offers
text to the effect of "If you don't see a popup window, click here".

Chris

On Tue, Sep 22, 2009 at 1:16 AM, Steven Livingstone-Perez <
weblivz at hotmail.com> wrote:

> A question. When a popup blocker stops a window popping up does it do some
> based on the target domain or the host domain?
>
> In other words if the popup gets blocked every time an RP requests
> authentication to a given OP then that could really be a usability issue.
> However if the user just needs to accept this the once and the target domain
> (OP) popup is trusted then that would be fine i'd think. In either case some
> usability studies would be interesting.
>
> It just pains me to think of my mum sitting wondering why she can't log
> into MumsRUs because the popup isn't being displayed and me having to tell
> her to enable it each time on the popup blocker.
>
> steven
> http://livz.org
>
> --------------------------------------------------
> From: "Allen Tom" <atom at yahoo-inc.com>
> Sent: Tuesday, September 22, 2009 1:50 AM
> To: "OpenID user experience" <openid-user-experience at lists.openid.net>
> Subject: Re: Popup flow
>
>
>  Hi Darren,
>>
>> I am not aware of any OAuth SPs which condone having their Login/Approval
>> pages framed by a 3rd party website.  If the site embeds the SP's Login
>> screen, the user has no way of telling if they're being phished.
>>
>> The OpenID Popup Extension requires the RP to open the popup window with
>> the Address Bar clearly displayed, and explictly forbids the OP's
>> Login/Approval screen from being framed. Given that the address bar is
>> displayed, the security properties of the popup window are identical to the
>> browser redirect.
>>
>> Allen
>>
>> Darren Bounds wrote:
>>
>>> I find it curious that these compromises have been embraced by the
>>> OAuth community to support a greater UX but they are not being
>>> embraced by OpenID. After all, isn't an iPhone UIWebView control just
>>> a different type of iFrame? You're still trusting parent application
>>> not to do something malicious.
>>>
>>>
>> _______________________________________________
>> user-experience mailing list
>> user-experience at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-user-experience
>>
>>  _______________________________________________
> user-experience mailing list
> user-experience at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-user-experience
>



-- 
Chris Messina
Open Web Advocate

Personal: http://factoryjoe.com
Follow me on Twitter: http://twitter.com/chrismessina

Citizen Agency: http://citizenagency.com
Diso Project: http://diso-project.org
OpenID Foundation: http://openid.net

This email is:   [ ] shareable    [X] ask first   [ ] private
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-user-experience/attachments/20090922/350c2626/attachment.htm>


More information about the user-experience mailing list