decoupling from HTML

[Martin Atkins]

Mario Salzer wrote:
> While the spec claims that OpenID does not impose its own user
> profile format, it is somewhat bound to HTML currently.

...

> If you want a real world example, then think of a HTML-free blog
> - one that consists of a single Atom feed only. And if the author
> now wants to use this feeds URL (http://blog.atomonly.org/) as
> identity for OpenID logins, it would surely help if implementations
> were not tied to HTML only.

Yeah, I was arguing this early on but from the point of view that we
should use the HTTP Link: header rather than just bodge it trying to
find things that look a bit like HTML links.

One problem with allowing the link elements to appear anywhere is that I
could perhaps post a comment on a site which allows HTML (such as
LiveJournal) which contains a link element pointing at an ID server I
control. Now, assuming the site doesn't supply an ID server link of its
own, I can assert as my identity any page in which the comment is displayed.

Of course, sites should really be filtering the LINK elements out of the
HTML, but requiring it to be in the HTML head at least provides a
measure of protection from this attack.

The Link: HTTP header would be the most "correct" way to do it, because
then it's out of band from the document itself, but lots of users have
hosting providers which disallow or make difficult the setting of
arbitrary HTTP headers. Requiring support for both would never fly as
implementers would end up just implementing whatever the big sites do
and ignoring all of the weird cases, which is why this proposal got
thrown out before.