I propose we remove iframe support for OAuth reliers. We currently allow OAuth reliers and the upcoming firstrun flow to iframe FxA. Iframe support was added to allow Marketplace to embed FxA in-content.
Some fairly byzantine client-side checks are performed to ensure we aren't opening users up to phishing attacks. Those checks are complex, and honestly, pretty gross. Ryan Kelly asked a good question - if no OAuth reliers currently ifram FxA, why do we even offer the functionality? Marketplace was able to integrate FxA without using an iframe. No other OAuth reliers that I know of use the iframe. I'd like to rip out OAuth relier iframe support and reduce the possible attack surface area. Without iframe support, could simplify the content server, 123done (a test relier), and the fxa-relier-client. Note, iframe support would still be available for the first run flow, no changes there. Andy and Stuart, this would primarily affect you. Does anybody else know of an OAuth relier that iframes FxA? Shane ------------------------ [1] - https://tools.ietf.org/html/rfc7034#section-2.1
_______________________________________________ Dev-fxacct mailing list [email protected] https://mail.mozilla.org/listinfo/dev-fxacct
