On 8-Feb-07, at 5:03 PM, Allen Tom wrote: > Hi Johnny, > > If the OP verifies the return_to by following all redirects until > reaching the destination, then an evil RP could craft an Auth > Request with the following parameters: > > realm=*.goodsite.com > return_to=man.in.middle.redirect.com/legit_return_to.goodsite.com
In this example, if the realm is not contained in the domain of the return_to, the OP would report an error to the user. I agree with your original proposal about the OP verifying there are no redirects by the return_to URL that do not contain the realm. per my other message, a POST is not redirectable (new word?:-) unless the redirect service is employing a JavaScript "hack" _______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
