Securing HTML vs securing HTTP
josh at janrain.com
Mon Jan 23 17:15:22 UTC 2006
On 1/23/06, Jens Alfke <jens at mooseyard.com> wrote:
> I haven't looked into the source code of the various
> OpenID client implementations; are they smart enough to recognize only real
> <link> tags, not CDATA content?
I can't speak for other OpenID implementations, but we were very
careful when implementing our OpenID libraries to ensure that we
only accept <link> tags when they are in the <head> of an HTML
document. We have a test suite to make sure that broken HTML does
not cause us to recognise <link> tags in unexpected places, and to
inform users of our library what markup will be accepted.
Unless the OpenID consumer site is trustworthy, the site's use of
OpenID authentication is meaningless. We hope that users can trust
sites that use our libraries.
More information about the yadis