Also note that URL parameters are not secured by TLS in HTTPS. -- Dick
On 13-Oct-06, at 3:57 AM, Chris Drake wrote: > Hi All, > > Just so everyone remembers: "GET" encoded "http://" URLs usually > appear en-mass in public lists (from proxy cache logs). If you don't > want to "POST" data anyplace, remember to expect "replay attacks" > often. > > Kind Regards, > Chris Drake > > > Friday, October 13, 2006, 7:48:31 PM, you wrote: > > JH> On 10/13/06, Martin Atkins <[EMAIL PROTECTED]> wrote: >>>> True, even one single pass through parameter should do. >>> >>> This causes the minor inconvenience that the RP will probably now >>> have >>> to implement its own parsing, rather than using the framework's >>> pre-supplied functions for dealing with urlencoded query strings. >>> >>> Not a major deal, but I'd guess that this is where the idea to use >>> return_to args came from in the first place. > > JH> return_to arguments can only be trusted if they are taken from the > JH> signed return_to parameter, which means parsing the signed > return_to > JH> parameter anyway. So it's at least no worse. > > JH> It's better in that the parameters do not now appear twice in the > JH> response (once double-encoded) > > JH> Example of a response with parameter in the return_to: > > JH> http://a.url/?drink=0xC0FFEE%21&openid.return_to=http%3A//a.url/ > %3Fdrink%3D0xC0FFEE%2521&... > > JH> Example of a response with hypothetical openid.appdata field: > > JH> http://a.url/?openid.appdata=drink%3D0xC0FFEE% > 21&openid.return_to=http%3A//a.url/&... > > JH> Josh > JH> _______________________________________________ > JH> specs mailing list > JH> specs@openid.net > JH> http://openid.net/mailman/listinfo/specs > > > > _______________________________________________ > specs mailing list > specs@openid.net > http://openid.net/mailman/listinfo/specs > > _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs