Thanks Remy, With Kinto, I imagine it's a browser based iframe and there should be some mechanism to tell the browser "ignore x-frame-options". This is the approach both Fennec and Fx Desktop currently take.
Shane On Thu, Jul 2, 2015 at 4:02 PM, Rémy Hubscher <[email protected]> wrote: > Hello Shane, > > We should check with the guys from browser.html they plan to use FxA with > Kinto during this Q3 and I remember we talked about iframe for this. (With > Paul Rouget) > > Regards, > > Rémy > > > > Le 02/07/2015 16:59, Shane Tomlinson a écrit : > > I propose we remove iframe support for OAuth reliers. > > We currently allow OAuth reliers and the upcoming firstrun flow to iframe > FxA. Iframe support was added to allow Marketplace to embed FxA in-content. > > Some fairly byzantine client-side checks are performed to ensure we aren't > opening users up to phishing attacks. Those checks are complex, and > honestly, pretty gross. > > Ryan Kelly asked a good question - if no OAuth reliers currently ifram > FxA, why do we even offer the functionality? > > Marketplace was able to integrate FxA without using an iframe. No other > OAuth reliers that I know of use the iframe. I'd like to rip out OAuth > relier iframe support and reduce the possible attack surface area. > > Without iframe support, could simplify the content server, 123done (a > test relier), and the fxa-relier-client. > > Note, iframe support would still be available for the first run flow, no > changes there. > > Andy and Stuart, this would primarily affect you. Does anybody else know > of an OAuth relier that iframes FxA? > > Shane > > ------------------------ > > [1] - https://tools.ietf.org/html/rfc7034#section-2.1 > > > _______________________________________________ > Dev-fxacct mailing > [email protected]https://mail.mozilla.org/listinfo/dev-fxacct > > >
_______________________________________________ Dev-fxacct mailing list [email protected] https://mail.mozilla.org/listinfo/dev-fxacct
