Inferring return_to
Paul Crowley
paul at ciphergoth.org
Mon Jun 13 15:58:45 PDT 2005
Martin Atkins wrote:
> I seem to remember that in the old version the original return URL was
> passed back in a parameter, but the consumers I wrote never used it. I
> just built the URL again the same way as I had the first time.
You're right - another clerical error. I'd be grateful if people could
check for more such errors.
But there's a security reason to leave it that way. Checking that the
return_to URL is correct is a vital part of building a secure consumer.
Making them infer it, rather than trusting what they get along with
the token, is one way to ensure that.
It also avoids a double-URL-encoding problem and makes the URL markedly
shorter.
--
__
\/ o\ Paul Crowley, paul at ciphergoth.org
/\__/ http://www.ciphergoth.org/
More information about the yadis
mailing list