Identity/Security/RP logo

From MozillaWiki
< Identity‎ | Security
Revision as of 06:17, 2 May 2013 by Fmarier (talk | contribs) (Created page with "= Displaying logos from Relying Parties in the dialog = Relying parties are able to specify an image, through the [https://developer.mozilla.org/en-US/docs/DOM/navigator.id.r...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Displaying logos from Relying Parties in the dialog

Relying parties are able to specify an image, through the siteLogo option.

See this related discussion: https://groups.google.com/d/topic/mozilla.dev.identity/OumzKDFTroE/discussion

Risks

  • browser executing scripts contained inside the file
  • large image taking over the visible portion of the dialog and changing the layout in a confusing or malicious way

Mitigations

  • siteLogo must be specified as an absolute path on the RP site, therefore it has the RP as the origin
  • the image be served over HTTPS to avoid mixed content issues
  • since the dialog supplies the img, we can be sure that the layout is not confusing to the end-user and we can use CSS rules on outer elements to enforce

a maximum size

Background

Retrieved from "https://wiki.mozilla.org/index.php?title=Identity/Security/RP_logo&oldid=651368"