decoupling from HTML

Mario Salzer mario at erphesfurt.de
Wed Jun 29 05:05:01 PDT 2005


Martin Atkins wrote:
> 
> Yeah, I was arguing this early on but from the point of view that we
> should use the HTTP Link: header rather than just bodge it trying to
> find things that look a bit like HTML links.
> 
> One problem with allowing the link elements to appear anywhere is that I
> could perhaps post a comment on a site which allows HTML (such as
> LiveJournal) which contains a link element pointing at an ID server I
> control. Now, assuming the site doesn't supply an ID server link of its
> own, I can assert as my identity any page in which the comment is displayed.

Ah, well. I didn't thought this to end. Maliciously injected <link>
tags in comment areas is probably not a good thing. Spammers will
probably adopt OpenID too quickly already and giving them extra
opportunity to weaken acceptance of the protocol was plain silly.

And Brad is probably right that not really many people would have
a XML identity file anyhow. So I'll just stick with wrapping my
XML files (if I need this) into fake <!--<html><head>--> and
<!--</head><body>...</html>--> tags. If that tricks one or the
other regex parser (and everything else would be overkill) into
reading it out, I'm already happy.

Real HTTP Link: bits were of course the premium solution here, but
then also more difficult to work with - given the sometimes clumsy
HTTP toolkits (JavaScript and bare PHP). I can understand why
people resist against HTTP headers, if just regexing stuff from
within some angle brackets is common practice anyhow.


More information about the yadis mailing list