On 2/07/2015 08:06, Shane Tomlinson wrote: > Thanks Remy, > > With Kinto, I imagine it's a browser based iframe and there should be > some mechanism to tell the browser "ignore x-frame-options". This is the > approach both Fennec and Fx Desktop currently take.
Alternately, we may be able to do the same thing we do with the first-run flow, and allow-list a strict set of domains to enable this flow. We can wait to hear more context from Paul, but I don't foresee this requiring generic-relier iframe support. Ryan > On Thu, Jul 2, 2015 at 4:02 PM, Rémy Hubscher <[email protected] > <mailto:[email protected]>> wrote: > > Hello Shane, > > We should check with the guys from browser.html they plan to use FxA > with Kinto during this Q3 and I remember we talked about iframe for > this. (With Paul Rouget) > > Regards, > > Rémy > > > > Le 02/07/2015 16:59, Shane Tomlinson a écrit : >> I propose we remove iframe support for OAuth reliers. >> >> We currently allow OAuth reliers and the upcoming firstrun flow to >> iframe FxA. Iframe support was added to allow Marketplace to embed >> FxA in-content. >> >> Some fairly byzantine client-side checks are performed to ensure >> we aren't opening users up to phishing attacks. Those checks are >> complex, and honestly, pretty gross. >> >> Ryan Kelly asked a good question - if no OAuth reliers currently >> ifram FxA, why do we even offer the functionality? >> >> Marketplace was able to integrate FxA without using an iframe. No >> other OAuth reliers that I know of use the iframe. I'd like to rip >> out OAuth relier iframe support and reduce the possible attack >> surface area. >> >> Without iframe support, could simplify the content server, 123done >> (a test relier), and the fxa-relier-client. >> >> Note, iframe support would still be available for the first run >> flow, no changes there. >> >> Andy and Stuart, this would primarily affect you. Does anybody >> else know of an OAuth relier that iframes FxA? >> >> Shane >> >> ------------------------ >> >> [1] - https://tools.ietf.org/html/rfc7034#section-2.1 >> >> >> _______________________________________________ >> Dev-fxacct mailing list >> [email protected] <mailto:[email protected]> >> https://mail.mozilla.org/listinfo/dev-fxacct > > > > > _______________________________________________ > Dev-fxacct mailing list > [email protected] > https://mail.mozilla.org/listinfo/dev-fxacct > _______________________________________________ Dev-fxacct mailing list [email protected] https://mail.mozilla.org/listinfo/dev-fxacct
