Oops. Sorry. Wrong host. Well, but the user already got redirected there so the incremental risk is small I think.
Should be; if RP's were to widely employ image checkid_immediate (or other means of trying to log a user in but not telling their browser to fully load the OP's page), they might not have been exposed (to scripts) quite yet. Then again, they're *telling* the RP that they want to use some site as an OP, so even if they make a typo, a little bit of feedback on the RP's error page ("You tried to log in with goofle.com, click here for its error message.") should duly warn them that their problem is not going to be fixed by visiting goofle.com.
-Shade _______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
