Securing HTML vs securing HTTP

Dag Arneson dag at
Tue Jan 24 19:08:46 UTC 2006

Johannes Ernst wrote:
> On Jan 24, 2006, at 10:24, Josh Hoyt wrote:
>> Also, the YADIS layer that is growing beneath OpenID and LID uses the
>> same model as OpenID,
> Ahem, no?
> It *can* use the same model to support those people whose hosting  
> provider does not cooperate, but I tend to think that the "right" way  
> of implementing it is using the X-YADIS-Location HTTP header, which I  
> think is more along the lines that Jens was thinking of.

But because it can use the same model, it's vulnerable to the same 
attack by the malicious plugin.  This much-discussed vulnerability 
points to a flaw in the plugin architecture, I think.  Protecting a part 
of your HTML from untrusted code shouldn't be much harder than 
protecting your HTTP headers from untrusted code.  Failing that, it's 
certainly easy to verify that the right thing is happening in your HTML.


More information about the yadis mailing list