SitG Admin wrote:
It could also detect people who are browsing through proxies (or
modified browsers) to strip the referer information for their privacy.
Many organizations run proxies to strip the referrer from outgoing
requests because of privacy issues.
Also, checking that the referrer's domain matches the return_to could
be problematic for RPs that run multiple domains, but have a centralized
OpenID RP service. Another problematic scenario is where the RP
integrates with a 3rd party to implement OpenID authentication, such as
Janrain's RPX or Google Friend Connect.
Allen
_______________________________________________
security mailing list
[email protected]
http://openid.net/mailman/listinfo/security
