Maybe the spec should carry an informative note to implementors to point out
that the HEAD element does not necessarily have any textual representation in
the HTML source?
Comments?
See the general archives for a thread between the 9th and 10th of
this month about outsourcing headers: restricting the scan for OpenID
headers to this "HEAD" area (*before* the "BODY" starts") is actually
*desirable* behavior, since it would prevent Identity theft from
injecting HTML in embedded comments, guestbooks, basically anything
that is dynamically generated server-side rather than linked to
within the page (like CSS).
The advisory for security should carry a note to implementors about
this, pointing out that the attack works even in the absence of users
(or servers) not actively supporting OpenID; permitting the theft of
Identity victims never even realized they had would not be a good PR
achievement for OpenID.
-Shade
_______________________________________________
specs mailing list
[email protected]
http://lists.openid.net/mailman/listinfo/openid-specs
