On 1/18/12 4:14 PM, Burak Yiğit Kaya wrote:
> I think this is a good motivation though I'm not sure if it's the best
> solution to the problems you mention. First of all, having an event
> system actually means many different handlers can listen on the event
> which I fear is not a very good use case for BrowserID.
Yes, I had this same worry. When I walked through all the use cases,
however, I realized that the callback approach was not that much better:
an attacker with script access to the site can easily replace the login
button with his own, set up his own callback, and intercept the
assertion almost as easily as by listening in on the event. So I think
events don't actually make security any worse, even if there is a
perception, at first, that they might.
> And secondly, how can you make sure that the initial firing of the event is never
> missed? This can be a tricky issue.
It's fairly straight-forward if you add the event listener before you
call navigator.id.get(), no?
And for the case where we want to fire the event automatically for users
who are permanently logged in, we follow a simple rule: register the
event handler before window.onLoad, and we promise not to fire the event
until after window.onLoad.
This seems relatively predictable. What do you think?
> I would suggest using something like
> the promises which can be resolved immediately, use a property-like
> function to check the login state(isLogged() etc.) or keep the current
> usage since it makes more sense.
This wouldn't be very different from callbacks in terms of what it
offers. Specifically, we'd like to be able to auto-fire the login event
if the user has opted to be always logged in. If you can't fire the
event until a promise is created (from calling navigator.id.get() I'm
guessing), then that feature goes away, and it's not clear that we have
a reason to move away from callbacks.
Let me know if I missed something.
-Ben