MozillaWiki

Services/Identity/HTML Client: Difference between revisions

Page Discussion

Services/Identity/HTML Client (view source)

Revision as of 21:25, 9 March 2011

147 bytes added ,  9 March 2011
→‎Mozilla ID HTML Client
(Created page with "= Mozilla ID HTML Client = The Mozilla ID HTML client is a pure-HTML implementation of the Mozilla ID relying party API that uses PostMessage to communicate with a trusted Mozil...")
 
Line 24: Line 24:
* The trusted iframe SHOULD not be a visible iframe or request user input directly, since it would be subject to clickjacking attacks. It SHOULD use a trusted pop-up to communicate with the user.
* The trusted iframe SHOULD not be a visible iframe or request user input directly, since it would be subject to clickjacking attacks. It SHOULD use a trusted pop-up to communicate with the user.
* The trusted iframe MUST determine the audience (the relying party's domain) by inspecting the origin of PostMessage requests. It MUST NOT trust the relying party to assert this via the PostMessage API.
* The trusted iframe MUST determine the audience (the relying party's domain) by inspecting the origin of PostMessage requests. It MUST NOT trust the relying party to assert this via the PostMessage API.
For more information on the internal API the iframe uses to communicate with the Mozilla ID service, see the [[MozillaID/InternalSpec]] document.


;Trusted Pop-Up
;Trusted Pop-Up
Thunder
946

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/290171"