ydnar at shaderlab.com
Wed May 18 08:38:05 PDT 2005
I believe the plan is to use the Netscape cookie security model.
Martin Atkins wrote:
> The OpenID site says (on the spec page):
> openid.trust_root (Optional, but recommended) -- The URL which the
> user will actually see to approve. The return_to URL must descend
> from the trust_root, or the identity server will return an error,
> not a redirect. Namely, the URL scheme and port must match. The
> path, if present, but be equal or below the trust_root, and the
> domains on both must match, or, the trust_root contain a wildcard
> like "*.livejournal.com" (but the wildcard may only be at the
> beginning) You can try to pass things like http://*.com/ or
> http://*.co.uk/, but any respectable identity server will protect
> their users from that. Defaults to return_to URL if absent.
> It's the clause at the end about *.com that concerns me. While I guess
> that this field is purely for display -- the user will see that it's a
> stupid wildcard -- without some concrete restrictions on what should
> be allowed and what should not it's inevitable that some ID servers
> will screw up and allow (or prevent) odd cases.
> For example, *.co.uk is mentioned. As a (rather geeky) human in the
> UK, I know that this is the country-wide domain for companies.
> However, other countries do not have fixed second-level domains and
> will instead let anyone register domains inside their country domain
> directly. There is the possibility that someone could register (for
> the sake of example) co.cx, and that would be a legitimate domain.
> Even if we exclude two-letter domains, there is .org.uk and the
> similar .org.cx.
> How is this dealt with for HTTP cookies? Can I set a cookie for
> .co.uk? If not, what rule says that I can't?
> Regardless of what the rules are, the spec should mention (or at least
> refer to) some more specific rules and require them for compliance.
> yadis mailing list
> yadis at lists.danga.com
More information about the yadis