Securing HTML vs securing HTTP
Josh Hoyt
josh at janrain.com
Mon Jan 23 17:15:22 UTC 2006
Jens,
On 1/23/06, Jens Alfke <jens at mooseyard.com> wrote:
> I haven't looked into the source code of the various
> OpenID client implementations; are they smart enough to recognize only real
> <link> tags, not CDATA content?
I can't speak for other OpenID implementations, but we were very
careful when implementing our OpenID libraries[1] to ensure that we
only accept <link> tags when they are in the <head> of an HTML
document. We have a test suite[2] to make sure that broken HTML does
not cause us to recognise <link> tags in unexpected places, and to
inform users of our library what markup will be accepted.
Unless the OpenID consumer site is trustworthy, the site's use of
OpenID authentication is meaningless. We hope that users can trust
sites that use our libraries.
Josh
1. http://www.openidenabled.com/openid/libraries
2. http://www.openidenabled.com/resources/darcsweb?r=python-openid;a=headblob;f=/test/linkparse.txt
More information about the yadis
mailing list