HTTP Headers vs. link rel=

Paul Timmins paul at
Tue May 24 01:01:42 PDT 2005

On Mon, 2005-05-23 at 18:03 -0700, ydnar wrote:
> HTTP headers are nontrivial to edit for some hosting environments, and 
> subject to poisoning on the part of the ISP. Parsing the output of a GET 
> request as SGML and looking for <head><link rel="openid.server"> is 
> trivial.
> TypePad users (certain user levels) can control their own HTML templates. 
> Everything from the doctype to </html>. For this user class it would in 
> theory make sense to have an HTTP header. But what happens when a page 
> specifies a link rel as well? Which one overrides the other?

What's wrong with allowing an authentication server specified in the
document to override a server header? That seems like a good way to
override a bizarre host, while allowing a sitewide auth server if none
are otherwise specified. This also allows it to be doctype agnostic if
it wants to be.

I'd use the following logic, in ugly half-perl pseudocode:
if (serverheader) {
if (documenthead) {

if ($authserver) {
print "Authserver is $authserver\n";
} else {
print "No authorization server found!\n";


Paul Timmins <paul at>
Timmins Technologies, LLC

More information about the yadis mailing list