silly classic path
Martin Atkins
mart at degeneration.co.uk
Tue May 24 22:32:10 PDT 2005
Brad Fitzpatrick wrote:
> In discussing the path of the "classic" (non-"AJAX") auth path, we noticed
> something silly.
>
> Consider this fragment from helper.bml:
>
> if (my $setup = $csr->user_setup_url) {
> if ($classic_mode) {
> return BML::redirect($setup);
> } else {
> my $e_url = js_dumper($setup);
> return $js_page->("if (parent.location.host == location.host) parent.OpenID_callback_fail($e_url);\n");
> }
> }
>
I must admit I did think this was a bit odd when I was writing my
consumer. However, I guessed that it just gives the Consumer the ability
to veto the returned URL if it looks "suspicious". Of course, it also
gives the consumer the ability to, for example, see the URL to
LiveJournal's authorization page and redirect to a page which looks a
lot like it and steal the user's password.
As far as I can tell, my code will go on working; it'll never actually
do the user_setup_url path because the server will just go ahead and do
it itself, but the rest will work.
I'm currently writing a new consumer using your ::Consumer module
anyway, so I'm not going to be updating that cruddy old code except
perhaps to make it use ::Consumer at some point.
More information about the yadis
mailing list