Inferring return_to

Paul Crowley paul at
Mon Jun 13 15:58:45 PDT 2005

Martin Atkins wrote:
> I seem to remember that in the old version the original return URL was
> passed back in a parameter, but the consumers I wrote never used it. I
> just built the URL again the same way as I had the first time.

You're right - another clerical error.  I'd be grateful if people could 
check for more such errors.

But there's a security reason to leave it that way.  Checking that the 
return_to URL is correct is a vital part of building a secure consumer. 
  Making them infer it, rather than trusting what they get along with 
the token, is one way to ensure that.

It also avoids a double-URL-encoding problem and makes the URL markedly 
\/ o\ Paul Crowley, paul at

More information about the yadis mailing list