Hi, On Sep 2, 2011, at 1:59 PM, J. David Beutel wrote:
> On 2011-09-02 05:37 , Rhett Sutphin wrote: >> * User clicks on a login link, which brings up the lightbox with CAS in an >> iframe within. (If the user has JS disabled, this link goes to the usual >> full-page CAS login.) >> * The user logs into the iframed CAS login page. > > With an iframe, does the browser display the SSL-authenticated CAS host name? > I suppose most users don't bother to look at that, but it would be a shame > to take away their ability to see who they're giving their password to. A browser doesn't display the source URL for an iframe anywhere in the default chrome. The iframe appears as though it is part of the (SSL protected) application that the user is authenticating to. To the extent that the user is analyzing who will receive his credentials, it appears to a non-technical user that the application is receiving them. Since the reality is that a service on which the application has chosen to rely is receiving the credentials, I don't think this is misleading. (It's very similar to the case where the application takes the credentials directly and then passes them on to an LDAP server in the background.) Rhett > > Cheers, > 11011011 > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
