Securing HTML vs securing HTTP

Josh Hoyt josh at
Mon Jan 23 17:15:22 UTC 2006


On 1/23/06, Jens Alfke <jens at> wrote:
> I haven't looked into the source code of the various
> OpenID client implementations; are they smart enough to recognize only real
> <link> tags, not CDATA content?

I can't speak for other OpenID implementations, but we were very
careful when implementing our OpenID libraries[1] to ensure that we
only accept <link> tags when they are in the <head> of an HTML
document. We have a test suite[2] to make sure that broken HTML does
not cause us to recognise <link> tags in unexpected places, and to
inform users of our library what markup will be accepted.

Unless the OpenID consumer site is trustworthy, the site's use of
OpenID authentication is meaningless. We hope that users can trust
sites that use our libraries.



More information about the yadis mailing list