Hi David, I'm sympathetic to the user continuity issues. There are several technical approaches that could work here:
1) Serialize application state to localStorage or the server session before navigating the browser to FxA. This would be handled entirely on the Marketplace side. 2) Load the FxA flow in an embedded iframe on the Marketplace site. We currently don't allow framing of the FxA pages because of "clickjacking" concerns. The Oauth RFC also recommends against allowing oauth flows in iframes. 3) Load the FxA flow in a new tab/window and postMessage the results back to the original Marketplace window after the Oauth flow completes. This is a viable option and would be similar to the existing Persona flow. It sounds like Andy may already be exploring this option to handle some of the b2g use cases. After discussing it with our team, we are negative on the iframe approach due to clickjacking concerns, but hopefully one of the other two options will work. -chris On Jun 20, 2014, at 1:24 PM, David Bialer <[email protected]> wrote: > Just wanted to clarify the issue - which for me is a user issue not a > security issue. > > Without getting into the how this is accomplished, what we are trying to do > is keep continuity in the task that user is trying to accomplish. > In Marketplace the 2 use cases would be: > a) the user is purchasing an app - clicks on "buy" on app details page, logs > into account (or creates new account) if needed, land on confirmation page > confirms purchase information. With the current solution, they would click > "Buy", login, and then land on the same app details page rather than > advancing to the next step in the flow. > b) the user would like to leave a review - similar to above. User Clicks > review, logs in if needed, lands on review page and writes review, submits. > > _______________________________________________ > Dev-fxacct mailing list > [email protected] > https://mail.mozilla.org/listinfo/dev-fxacct _______________________________________________ Dev-fxacct mailing list [email protected] https://mail.mozilla.org/listinfo/dev-fxacct
