Popup flow
Steven Livingstone-Perez
weblivz at hotmail.com
Tue Sep 22 17:48:59 UTC 2009
> unless your mom is uber technical and running her own OpenID
I never underestimate my mum's technical knowledge since the day she helped me with Algebra, which she believed was a place in central Africa.
Anyway, yes i think some kind of standard help text would make things easier for non-technical folk.
If at least the main OP's aren't hidden then that's a good start. May try it out and see what happens if i find some time.
steven
http://livz.org
From: Chris Messina
Sent: Tuesday, September 22, 2009 5:16 PM
To: OpenID user experience
Subject: Re: Popup flow
That's a good question and warrants wider study.
I would think that the blocking behavior would be based on the window opener code in JavaScript (and Flash), but if they have a more aggressive popup blocker, then perhaps it's based on certain hosts.
That said, unless your mom is uber technical and running her own OpenID — it seems unlikely that the big OpenID providers would be blocked. Additionally, if an OP doesn't support the popup flow, then the full window redirect is the fallback... perhaps we just need to have a recommendation that offers text to the effect of "If you don't see a popup window, click here".
Chris
On Tue, Sep 22, 2009 at 1:16 AM, Steven Livingstone-Perez <weblivz at hotmail.com> wrote:
A question. When a popup blocker stops a window popping up does it do some based on the target domain or the host domain?
In other words if the popup gets blocked every time an RP requests authentication to a given OP then that could really be a usability issue. However if the user just needs to accept this the once and the target domain (OP) popup is trusted then that would be fine i'd think. In either case some usability studies would be interesting.
It just pains me to think of my mum sitting wondering why she can't log into MumsRUs because the popup isn't being displayed and me having to tell her to enable it each time on the popup blocker.
steven
http://livz.org
--------------------------------------------------
From: "Allen Tom" <atom at yahoo-inc.com>
Sent: Tuesday, September 22, 2009 1:50 AM
To: "OpenID user experience" <openid-user-experience at lists.openid.net>
Subject: Re: Popup flow
Hi Darren,
I am not aware of any OAuth SPs which condone having their Login/Approval pages framed by a 3rd party website. If the site embeds the SP's Login screen, the user has no way of telling if they're being phished.
The OpenID Popup Extension requires the RP to open the popup window with the Address Bar clearly displayed, and explictly forbids the OP's Login/Approval screen from being framed. Given that the address bar is displayed, the security properties of the popup window are identical to the browser redirect.
Allen
Darren Bounds wrote:
I find it curious that these compromises have been embraced by the
OAuth community to support a greater UX but they are not being
embraced by OpenID. After all, isn't an iPhone UIWebView control just
a different type of iFrame? You're still trusting parent application
not to do something malicious.
_______________________________________________
user-experience mailing list
user-experience at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-user-experience
_______________________________________________
user-experience mailing list
user-experience at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-user-experience
--
Chris Messina
Open Web Advocate
Personal: http://factoryjoe.com
Follow me on Twitter: http://twitter.com/chrismessina
Citizen Agency: http://citizenagency.com
Diso Project: http://diso-project.org
OpenID Foundation: http://openid.net
This email is: [ ] shareable [X] ask first [ ] private
--------------------------------------------------------------------------------
_______________________________________________
user-experience mailing list
user-experience at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-user-experience
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-user-experience/attachments/20090922/71cd0df7/attachment-0001.htm>
More information about the user-experience
mailing list