If his is used on a web site it seems like a lot of trouble to go to. They are all ready on a bad site.
If the site is bad, couldn't it also be sending the user's browser a script to spoof referer?
I suspect the major threat is from email links. In that case there would be no referrer and the OP could detect that.
It could also detect people who are browsing through proxies (or modified browsers) to strip the referer information for their privacy.
"Hi, we've detected that your privacy settings prevent our software from working. To continue using OpenID, please follow these instructions to reduce your privacy on the internet."
-Shade _______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
