Hello Shane, We should check with the guys from browser.html they plan to use FxA with Kinto during this Q3 and I remember we talked about iframe for this. (With Paul Rouget)
Regards, Rémy Le 02/07/2015 16:59, Shane Tomlinson a écrit : > I propose we remove iframe support for OAuth reliers. > > We currently allow OAuth reliers and the upcoming firstrun flow to > iframe FxA. Iframe support was added to allow Marketplace to embed FxA > in-content. > > Some fairly byzantine client-side checks are performed to ensure we > aren't opening users up to phishing attacks. Those checks are complex, > and honestly, pretty gross. > > Ryan Kelly asked a good question - if no OAuth reliers currently ifram > FxA, why do we even offer the functionality? > > Marketplace was able to integrate FxA without using an iframe. No > other OAuth reliers that I know of use the iframe. I'd like to rip out > OAuth relier iframe support and reduce the possible attack surface area. > > Without iframe support, could simplify the content server, 123done (a > test relier), and the fxa-relier-client. > > Note, iframe support would still be available for the first run flow, > no changes there. > > Andy and Stuart, this would primarily affect you. Does anybody else > know of an OAuth relier that iframes FxA? > > Shane > > ------------------------ > > [1] - https://tools.ietf.org/html/rfc7034#section-2.1 > > > _______________________________________________ > Dev-fxacct mailing list > [email protected] > https://mail.mozilla.org/listinfo/dev-fxacct
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dev-fxacct mailing list [email protected] https://mail.mozilla.org/listinfo/dev-fxacct
