Non-recoverable auth failure?
Carl Howells
chowells at janrain.com
Fri Jun 24 10:08:07 PDT 2005
Brad Fitzpatrick wrote:
> No.
>
> We're absolutely not encouraging the use of OpenID server UIs in
> consumer-initiated pop-up windows. If anything screams "phish me please!"
> more, this is it.
>
> The consumers have two choices: replace the existing window with the
> setup URL, or open the setup URL in a new (full) window. Sure, they can
> try and put it in a pop-up, but I'll probably do something on LiveJournal
> to verify we're not in a pop-up and bitch (or pop-out) if so.
>
> Yes, phishing will still happen, but let's not encourage it.
Ok. I'll admit, I wasn't thinking of that, and it's a valid concern.
No encouraging popups of any sort. :)
In that case, why not go with Paul's original suggestion? It's as
functional as and simpler than the current system.
Carl
More information about the yadis
mailing list