Inferring return_to

Martin Atkins mart at
Tue Jun 14 06:17:18 PDT 2005

Brad Fitzpatrick wrote:
> It's a royal pain in the ass to reliably infer it, especially generically
> from a library, which is criticial to adoption.  Plus it imposes
> additional restrictions on server implementators about how they append URL
> arguments (which they may have no control over, if they're using a URL
> object).  People aren't going to hand-code implementations of OpenID like
> mart and us.  It's so much easier to just get the return_to URL back,
> parse it, and do checks on the hostname.  Same security, but more
> flexibility of implementation.
> I'm going to have to pull rank here and say it's more of a protocol and
> implementation issue and less a security issue and request it stay in.

I'm not quite sure why anyone would use a "URL class" to do something as
simple as concatenating ?sid=23534 onto their script URL, but if you say so.

I would actually class parsing a URL as more painful than forming one.

> P.S. emailing this from +0100... what up WEST?

Get out of my timezone! (or there abouts) ;)

More information about the yadis mailing list