On Tue, May 21, 2013 at 2:23 PM, Shane Tomlinson <
stoml...@mozilla.com> wrote:
> Hi Jan,
> We have indeed discussed embedding Persona using IFRAMEs [1]; so far we have
> decided against it. The primary concern we have is that security minded
> users would lose the ability to look at the URL bar to see if they are
> really signing in to Persona or if they are being phished.
>
> Your proposal is different to what we have considered in the past, you are
> saying *iff the user is signed in to Persona*, show the embedded IFRAME with
> their list of email addresses. Otherwise, show a button that opens the
> dialog, where the user would enter their Persona password. Primaries are an
> interesting case here, but perhaps this is a viable middle ground.
Yes, password dialog can not be securely served from an iframe, but a
list of emails seems safe. I can't see how a phisher could benefit
from spoofing such a list.
> Is your concern with the popup itself (as in "a popup, yuck"), or do you
> have a specific use case in mind? If we could find out more about the use
> case, maybe we can think of some additional alternatives together.
>From my perspective the current solution is good enough, but I have
seen people complaining about pop-up based login flows that require
users to switch context. Especially redirect based flow that some
browsers require (IOS Chrome) could benefit from an iframe based
enhancement. This isn't a critical issue and I don't have any use case
in mind where it would be required.
Jan