Ah, I conflated Marketplace with Payments in my mind. What are your iframe plans for Payments, and are there any alternatives to using an iframe, possibly the redirect flow?
Firstrun flow is distinct from your work, the first run flow is the tour that is displayed the first time a Firefox user opens Firefox with a new profile. Thanks Andy, Shane On Thu, Jul 2, 2015 at 9:18 PM, Andrew McKay <[email protected]> wrote: > I don't think the Marketplace ever supported the iframe flow, but you'd > have to ask the Marketplace about their plans (we don't work on it > anymore). > > Would be concerned that this affects payments who were planning on using > the iframe flow using the library you wrote, but then you confused me by > saying " iframe support would still be available for the first run flow". > > Sorry, I'm not up on the terminology and don't know the full extent of > your proposal. > > On Thu, Jul 2, 2015 at 7:59 AM, Shane Tomlinson <[email protected]> > wrote: > >> I propose we remove iframe support for OAuth reliers. >> >> We currently allow OAuth reliers and the upcoming firstrun flow to iframe >> FxA. Iframe support was added to allow Marketplace to embed FxA in-content. >> >> Some fairly byzantine client-side checks are performed to ensure we >> aren't opening users up to phishing attacks. Those checks are complex, and >> honestly, pretty gross. >> >> Ryan Kelly asked a good question - if no OAuth reliers currently ifram >> FxA, why do we even offer the functionality? >> >> Marketplace was able to integrate FxA without using an iframe. No other >> OAuth reliers that I know of use the iframe. I'd like to rip out OAuth >> relier iframe support and reduce the possible attack surface area. >> >> Without iframe support, could simplify the content server, 123done (a >> test relier), and the fxa-relier-client. >> >> Note, iframe support would still be available for the first run flow, no >> changes there. >> >> Andy and Stuart, this would primarily affect you. Does anybody else know >> of an OAuth relier that iframes FxA? >> >> Shane >> >> ------------------------ >> >> [1] - https://tools.ietf.org/html/rfc7034#section-2.1 >> > >
_______________________________________________ Dev-fxacct mailing list [email protected] https://mail.mozilla.org/listinfo/dev-fxacct
