dennisreimann
commented
14 years ago nice idea :)
Closed djmaze closed 14 years ago
dennisreimann
commented
14 years ago nice idea :)
dennisreimann
commented
14 years ago Is this feature ready to merge?
djmaze
commented
14 years ago The state is "works for me", and tests pass. Also I just made sure the check for the requesting domains complies with the OpenID spec.
So, ready to merge, I believe ;-)
dennisreimann
commented
14 years ago Ok, go ahead :)
djmaze
commented
14 years ago Done. See f84247ef135a88b7fd76c0cff868e7b1e7a2ff07
dennisreimann
commented
14 years ago Thank you :)
It would be nice if corporate users had a more comfortable login. In my opinion the "safe login" page could be skipped for requests coming from trusted sites.
I created a trusted_domains branch with a new configuration option "trusted_domains" (see f84247ef135a88b7fd76c0cff868e7b1e7a2ff07). You can list the domains of all sites that should be trusted, skipping the safe login page and going straight to the real login page for those requests.
I am not 100% sure about security implications. If DNS on the user's system is compromised, the anti-phishing page will not help either way - he could be sent to a fake server with the same URL as the real Masquerade server. Are there any other problems to think of? Or is this feasible?
Also, I am not quite sure if the host check in OpenIdRequest#from_trusted_domain? is right. (I am no OpenID expert. Just tested with some real requests.)