On 19/06/2014 19:46, Chris Karlof wrote:
Keep in mind the signup flow involves an email verification step, which could be completed in another tab or the user could choose to open the link in the existing open tab, which would wipe your application state as well.
Ryan and John, IIRC from Persona user testing, we also saw that users replaced the RP's tab (here, the one with Marketplace) with their email host. If this happens and the RP is not ready for it, all application state is lost as well.
Brian Warner also points out the trust issue - without some sort of trusted UI, can users be sure that the site they are giving their credentials to is the site they intend? "A lot of the existing frameable mutually-suspicious-origin resources are using stored credentials, not asking for new ones."
Here in the UK online stores use iframes containing content from the user's bank to verify/authorize users. The bank's content presents the user with some sort of already set up phrase or photo, and asks for their password.
Shane _______________________________________________ Dev-fxacct mailing list [email protected] https://mail.mozilla.org/listinfo/dev-fxacct
