Securing HTML vs securing HTTP
Dag Arneson
dag at janrain.com
Tue Jan 24 19:08:46 UTC 2006
Johannes Ernst wrote:
>
> On Jan 24, 2006, at 10:24, Josh Hoyt wrote:
>
>> Also, the YADIS layer that is growing beneath OpenID and LID uses the
>> same model as OpenID,
>
>
> Ahem, no?
>
> It *can* use the same model to support those people whose hosting
> provider does not cooperate, but I tend to think that the "right" way
> of implementing it is using the X-YADIS-Location HTTP header, which I
> think is more along the lines that Jens was thinking of.
But because it can use the same model, it's vulnerable to the same
attack by the malicious plugin. This much-discussed vulnerability
points to a flaw in the plugin architecture, I think. Protecting a part
of your HTML from untrusted code shouldn't be much harder than
protecting your HTTP headers from untrusted code. Failing that, it's
certainly easy to verify that the right thing is happening in your HTML.
Dag
More information about the yadis
mailing list