I don't think the Marketplace ever supported the iframe flow, but you'd have to ask the Marketplace about their plans (we don't work on it anymore).
Would be concerned that this affects payments who were planning on using the iframe flow using the library you wrote, but then you confused me by saying " iframe support would still be available for the first run flow". Sorry, I'm not up on the terminology and don't know the full extent of your proposal. On Thu, Jul 2, 2015 at 7:59 AM, Shane Tomlinson <[email protected]> wrote: > I propose we remove iframe support for OAuth reliers. > > We currently allow OAuth reliers and the upcoming firstrun flow to iframe > FxA. Iframe support was added to allow Marketplace to embed FxA in-content. > > Some fairly byzantine client-side checks are performed to ensure we aren't > opening users up to phishing attacks. Those checks are complex, and > honestly, pretty gross. > > Ryan Kelly asked a good question - if no OAuth reliers currently ifram > FxA, why do we even offer the functionality? > > Marketplace was able to integrate FxA without using an iframe. No other > OAuth reliers that I know of use the iframe. I'd like to rip out OAuth > relier iframe support and reduce the possible attack surface area. > > Without iframe support, could simplify the content server, 123done (a test > relier), and the fxa-relier-client. > > Note, iframe support would still be available for the first run flow, no > changes there. > > Andy and Stuart, this would primarily affect you. Does anybody else know > of an OAuth relier that iframes FxA? > > Shane > > ------------------------ > > [1] - https://tools.ietf.org/html/rfc7034#section-2.1 >
_______________________________________________ Dev-fxacct mailing list [email protected] https://mail.mozilla.org/listinfo/dev-fxacct
