> Complete side note: it's kind of funny that OpenID let's you specify > some completely arbitrary string to appear in the resulting > webpage[2].
Any server with that behavior is out of spec. Operating securely requires checking the return_to value against the trust_root, and checking that the return_to value is a valid url. But wordpress being out of spec is what was observed to start this, anyway. So what's the surprise? Carl _______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe