That's a good question and warrants wider study.<div><br></div><div>I would think that the blocking behavior would be based on the window opener code in JavaScript (and Flash), but if they have a more aggressive popup blocker, then perhaps it's based on certain hosts.</div>
<div><br></div><div>That said, unless your mom is uber technical and running her own OpenID — it seems unlikely that the big OpenID providers would be blocked. Additionally, if an OP doesn't support the popup flow, then the full window redirect is the fallback... perhaps we just need to have a recommendation that offers text to the effect of "If you don't see a popup window, click here".</div>
<div><br></div><div>Chris<br><br><div class="gmail_quote">On Tue, Sep 22, 2009 at 1:16 AM, Steven Livingstone-Perez <span dir="ltr"><<a href="mailto:weblivz@hotmail.com">weblivz@hotmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
A question. When a popup blocker stops a window popping up does it do some based on the target domain or the host domain?<br>
<br>
In other words if the popup gets blocked every time an RP requests authentication to a given OP then that could really be a usability issue. However if the user just needs to accept this the once and the target domain (OP) popup is trusted then that would be fine i'd think. In either case some usability studies would be interesting.<br>
<br>
It just pains me to think of my mum sitting wondering why she can't log into MumsRUs because the popup isn't being displayed and me having to tell her to enable it each time on the popup blocker.<br>
<br>
steven<br>
<a href="http://livz.org" target="_blank">http://livz.org</a><br>
<br>
--------------------------------------------------<br>
From: "Allen Tom" <<a href="mailto:atom@yahoo-inc.com" target="_blank">atom@yahoo-inc.com</a>><br>
Sent: Tuesday, September 22, 2009 1:50 AM<br>
To: "OpenID user experience" <<a href="mailto:openid-user-experience@lists.openid.net" target="_blank">openid-user-experience@lists.openid.net</a>><br>
Subject: Re: Popup flow<div><div></div><div class="h5"><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi Darren,<br>
<br>
I am not aware of any OAuth SPs which condone having their Login/Approval pages framed by a 3rd party website. If the site embeds the SP's Login screen, the user has no way of telling if they're being phished.<br>
<br>
The OpenID Popup Extension requires the RP to open the popup window with the Address Bar clearly displayed, and explictly forbids the OP's Login/Approval screen from being framed. Given that the address bar is displayed, the security properties of the popup window are identical to the browser redirect.<br>
<br>
Allen<br>
<br>
Darren Bounds wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I find it curious that these compromises have been embraced by the<br>
OAuth community to support a greater UX but they are not being<br>
embraced by OpenID. After all, isn't an iPhone UIWebView control just<br>
a different type of iFrame? You're still trusting parent application<br>
not to do something malicious.<br>
<br>
</blockquote>
<br>
_______________________________________________<br>
user-experience mailing list<br>
<a href="mailto:user-experience@lists.openid.net" target="_blank">user-experience@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-user-experience" target="_blank">http://lists.openid.net/mailman/listinfo/openid-user-experience</a><br>
<br>
</blockquote>
_______________________________________________<br>
user-experience mailing list<br>
<a href="mailto:user-experience@lists.openid.net" target="_blank">user-experience@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-user-experience" target="_blank">http://lists.openid.net/mailman/listinfo/openid-user-experience</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Chris Messina<br>Open Web Advocate<br><br>Personal: <a href="http://factoryjoe.com">http://factoryjoe.com</a><br>Follow me on Twitter: <a href="http://twitter.com/chrismessina">http://twitter.com/chrismessina</a><br>
<br>Citizen Agency: <a href="http://citizenagency.com">http://citizenagency.com</a><br>Diso Project: <a href="http://diso-project.org">http://diso-project.org</a><br>OpenID Foundation: <a href="http://openid.net">http://openid.net</a><br>
<br>This email is: [ ] shareable [X] ask first [ ] private<br>
</div>