silly classic path

Martin Atkins mart at degeneration.co.uk
Tue May 24 22:32:10 PDT 2005


Brad Fitzpatrick wrote:
> In discussing the path of the "classic" (non-"AJAX") auth path, we noticed
> something silly.
> 
> Consider this fragment from helper.bml:
> 
>     if (my $setup = $csr->user_setup_url) {
>         if ($classic_mode) {
>             return BML::redirect($setup);
>         } else {
>             my $e_url = js_dumper($setup);
>             return $js_page->("if (parent.location.host == location.host) parent.OpenID_callback_fail($e_url);\n");
>         }
>     }
> 

I must admit I did think this was a bit odd when I was writing my 
consumer. However, I guessed that it just gives the Consumer the ability 
to veto the returned URL if it looks "suspicious". Of course, it also 
gives the consumer the ability to, for example, see the URL to 
LiveJournal's authorization page and redirect to a page which looks a 
lot like it and steal the user's password.

As far as I can tell, my code will go on working; it'll never actually 
do the user_setup_url path because the server will just go ahead and do 
it itself, but the rest will work.

I'm currently writing a new consumer using your ::Consumer module 
anyway, so I'm not going to be updating that cruddy old code except 
perhaps to make it use ::Consumer at some point.



More information about the yadis mailing list