From c26b6c3be864aaf49fe0b0fc15c0af59323b7dde Mon Sep 17 00:00:00 2001 From: "http://oneingray.myopenid.com/" Date: Fri, 12 Mar 2010 22:12:41 +0000 Subject: Note the use of on YouTube. --- .../finer_control_over___60__object___47____62__s.mdwn | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/doc/todo/finer_control_over___60__object___47____62__s.mdwn b/doc/todo/finer_control_over___60__object___47____62__s.mdwn index 0ca949954..50c4d43bf 100644 --- a/doc/todo/finer_control_over___60__object___47____62__s.mdwn +++ b/doc/todo/finer_control_over___60__object___47____62__s.mdwn @@ -57,10 +57,23 @@ For Ikiwiki, it may be nice to be able to restrict [URI's][URI] (as required by >> `usemap`) should make `object` almost as harmless as, say, `img`. >>> But with local data, one could not embed youtube videos, which surely ->>> is the most obvious use case? Note that youtube embedding uses an +>>> is the most obvious use case? + +>>>> Allowing a “remote” object to render on one's page is a + security issue by itself. + Though, of course, having an explicit whitelist of URI's may make + this issue more tolerable. + — [[Ivan_Shmakov]], 2010-03-12Z. + +>>> Note that youtube embedding uses an >>> object element with no classid. The swf file is provided via an >>> enclosed param element. --[[Joey]] +>>>> I've just checked a random video on YouTube and I see that the + `.swf` file is provided via an enclosed `embed` element. Whether + to allow those or not is a different issue. + — [[Ivan_Shmakov]], 2010-03-12Z. + >> (Though it certainly won't solve the [[SVG_problem|/todo/SVG]] being >> restricted in such a way.) -- cgit v1.2.3 From 4da6e94305c2c7f4adab057b362d9e58a7494439 Mon Sep 17 00:00:00 2001 From: "https://www.google.com/accounts/o8/id?id=AItOawm-ebiIfxbKD3KNa-Cu9LvvD9edMLW7BAo" Date: Sat, 13 Mar 2010 21:14:35 +0000 Subject: Google's OpenID and discovery protocol --- doc/forum/google_openid_broken__63__.mdwn | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/doc/forum/google_openid_broken__63__.mdwn b/doc/forum/google_openid_broken__63__.mdwn index 68b44f2c1..0e41d4ced 100644 --- a/doc/forum/google_openid_broken__63__.mdwn +++ b/doc/forum/google_openid_broken__63__.mdwn @@ -50,3 +50,11 @@ The openid is (what a mouthfull!), and I don't know who that is or how to use it since it points to a fairly useless xml document, rather than a web page. --[[Joey]] + +> That string is what's received via the discovery protocol. The user logging in with a Google account is not supposed to write that when logging in, but rather . The OpenID client library will accept that and redirect the user to a sign in page, which will return that string as the OpenID. It's not really usable as an identifier for edits and whatnots, but an alternative would be to use the attribute exchange extension to get the email address and display that. See . + +> Yahoo's OpenID implementation works alike, but I haven't looked at it as much. It uses to receive the endpoint. + +> I've added buttons that submit the two above URLs for logging in with a Google and Yahoo OpenID, respectively, to my locally changed OpenID login plugin. + +> Using the Google profile page as the OpenID is really orthogonal to the above. --[[kaol]] -- cgit v1.2.3