mart at degeneration.co.uk
Wed May 18 07:40:27 PDT 2005
The OpenID site says (on the spec page):
openid.trust_root (Optional, but recommended) -- The URL which the
user will actually see to approve. The return_to URL must descend
from the trust_root, or the identity server will return an error,
not a redirect. Namely, the URL scheme and port must match. The
path, if present, but be equal or below the trust_root, and the
domains on both must match, or, the trust_root contain a wildcard
like "*.livejournal.com" (but the wildcard may only be at the
beginning) You can try to pass things like http://*.com/ or
http://*.co.uk/, but any respectable identity server will protect
their users from that. Defaults to return_to URL if absent.
It's the clause at the end about *.com that concerns me. While I guess
that this field is purely for display -- the user will see that it's a
stupid wildcard -- without some concrete restrictions on what should be
allowed and what should not it's inevitable that some ID servers will
screw up and allow (or prevent) odd cases.
For example, *.co.uk is mentioned. As a (rather geeky) human in the UK,
I know that this is the country-wide domain for companies. However,
other countries do not have fixed second-level domains and will instead
let anyone register domains inside their country domain directly. There
is the possibility that someone could register (for the sake of example)
co.cx, and that would be a legitimate domain. Even if we exclude
two-letter domains, there is .org.uk and the similar .org.cx.
How is this dealt with for HTTP cookies? Can I set a cookie for .co.uk?
If not, what rule says that I can't?
Regardless of what the rules are, the spec should mention (or at least
refer to) some more specific rules and require them for compliance.
More information about the yadis