Re: Proposal: Remove iframe support for OAuth reliers

Thu, 02 Jul 2015 08:13:16 -0700 

Adding Paul Rouget.

Hi Paul!  We're discussing some Firefox Accounts changes (see below)
and your name came up w.r.t. browser.html, kinto and FxA in Q3.  Can
you share any details of your plans for integration there?


  Thanks,

     Ryan

On 2/07/2015 08:02, Rémy Hubscher wrote:
> Hello Shane,
> 
> We should check with the guys from browser.html they plan to use
> FxA with Kinto during this Q3 and I remember we talked about iframe
> for this. (With Paul Rouget)
> 
> Regards,
> 
> Rémy
> 
> 
> Le 02/07/2015 16:59, Shane Tomlinson a écrit :
>> I propose we remove iframe support for OAuth reliers.
>> 
>> We currently allow OAuth reliers and the upcoming firstrun flow
>> to iframe FxA. Iframe support was added to allow Marketplace to
>> embed FxA in-content.
>> 
>> Some fairly byzantine client-side checks are performed to ensure
>> we aren't opening users up to phishing attacks. Those checks are
>> complex, and honestly, pretty gross.
>> 
>> Ryan Kelly asked a good question - if no OAuth reliers currently
>> ifram FxA, why do we even offer the functionality?
>> 
>> Marketplace was able to integrate FxA without using an iframe.
>> No other OAuth reliers that I know of use the iframe. I'd like to
>> rip out OAuth relier iframe support and reduce the possible
>> attack surface area.
>> 
>> Without iframe support, could simplify the content server,
>> 123done (a test relier), and the fxa-relier-client.
>> 
>> Note, iframe support would still be available for the first run
>> flow, no changes there.
>> 
>> Andy and Stuart, this would primarily affect you. Does anybody
>> else know of an OAuth relier that iframes FxA?
>> 
>> Shane
>> 
>> ------------------------
>> 
>> [1] - https://tools.ietf.org/html/rfc7034#section-2.1
>> 
>> 
>> _______________________________________________ Dev-fxacct
>> mailing list [email protected] 
>> https://mail.mozilla.org/listinfo/dev-fxacct
> 
> 
> 
> _______________________________________________ Dev-fxacct mailing
> list [email protected] 
> https://mail.mozilla.org/listinfo/dev-fxacct
> 
_______________________________________________
Dev-fxacct mailing list
[email protected]
https://mail.mozilla.org/listinfo/dev-fxacct

Reply via email to