AJAX/Simple Combo Demo

Martin Atkins mart at degeneration.co.uk
Fri May 20 09:27:18 PDT 2005

Brad's demo has two separate forms: one for AJAX mode, and one for the 
simple (or "Classic") redirect mode.

I've now made a demo which does both from the same form, transparently 
to the user:

(Apologies for the non-standard port; depressingly, that's the only site 
I have to host that on right now.)

One thing that creating this has made very clear to me is that there are 
lots of things that implementers must be careful with to avoid 
cross-site scripting attacks. Both Brad's demo and my demo have a few 
cases where they just show any old values supplied by the ID server with 
no HTML escaping.

My demo is again restricted only to LiveJournal logins, since I don't 
have Brad's paranoid version of LWP::UserAgent.

Those of you who are brave enough to venture into my nasty Perl code can 
find the source code (for now) here:


In practice, a few things would probably be done differently. The main 
thing is that the OpenID stuff would in many cases be part of another 
form. Many sites won't actually support "logging in" as such, but will 
instead just supply a comment form with an OpenID field for one-time use.

Theoretically, the OpenID token fetching (in classic mode) could happen 
in the same request as the comment posting, though that would either 
lead to some really long return_urls or the need for the consumer to 
retain some state and put a token in the return_url to match the 
response. This needs to be thought about, as having the user submit the 
form twice -- or indeed, submit two separate forms -- will confuse or 
concern plenty of people.

More information about the yadis mailing list