Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
When can RPs and primaries not source scripts from Mozilla?
14 views
Skip to first unread message
Henri Sivonen
May 24, 2013, 7:38:19 AM5/24/13
to dev-id...@lists.mozilla.org
I looked into running a Persona primary for hsivonen.fi and was shocked to
find that Mozilla tells RPs and IdPs to source scripts from
https://login.persona.org/ instead of serving their own copies of those
scripts after reviewing the scripts. It seems to me that the reason to
source the scripts from Mozilla is that Mozilla isn't guaranteeing the
stability of the protocol that those scripts implement on top of
postMessage.
I understand that the vision for Persona is aspirational at this point and
Persona isn't done yet, but there's a pretty significant dissonance between
the pitch that Persona lets you choose who you trust and requiring you to
trust https://login.persona.org/ not to pwn your origin.
Is there an expected time line for freezing the protocol implemented on top
of postMessage so that RPs and IdPs could host their own copies of the
JavaScript files?
--
Henri Sivonen
hsiv...@hsivonen.fi
find that Mozilla tells RPs and IdPs to source scripts from
https://login.persona.org/ instead of serving their own copies of those
scripts after reviewing the scripts. It seems to me that the reason to
source the scripts from Mozilla is that Mozilla isn't guaranteeing the
stability of the protocol that those scripts implement on top of
postMessage.
I understand that the vision for Persona is aspirational at this point and
Persona isn't done yet, but there's a pretty significant dissonance between
the pitch that Persona lets you choose who you trust and requiring you to
trust https://login.persona.org/ not to pwn your origin.
Is there an expected time line for freezing the protocol implemented on top
of postMessage so that RPs and IdPs could host their own copies of the
JavaScript files?
--
Henri Sivonen
hsiv...@hsivonen.fi
Shane Tomlinson
May 24, 2013, 7:53:42 AM5/24/13
to dev-id...@lists.mozilla.org
Hi Henri,
This has been a long standing sore spot within our group as well, and we
most definitely want to allow sites to self host include.js [1]. The
caveat is we want a solution that allows for future changes to the
navigator.id API without breaking sites that are self-hosting.
We are not yet sure what this solution will look like, and to avoid
breaking sites, we are recommending that sites currently not self host.
You *can* self host, but there are likely to be breaking changes in the
future.
If you have any ideas or experience on how we can fulfill all the goals,
please pile on either here on in the referenced issue.
Thanks for bringing this up, it reminds us that this is very important
to some sites,
Shane
================
[1] - https://github.com/mozilla/browserid/issues/3119
This has been a long standing sore spot within our group as well, and we
most definitely want to allow sites to self host include.js [1]. The
caveat is we want a solution that allows for future changes to the
navigator.id API without breaking sites that are self-hosting.
We are not yet sure what this solution will look like, and to avoid
breaking sites, we are recommending that sites currently not self host.
You *can* self host, but there are likely to be breaking changes in the
future.
If you have any ideas or experience on how we can fulfill all the goals,
please pile on either here on in the referenced issue.
Thanks for bringing this up, it reminds us that this is very important
to some sites,
Shane
================
[1] - https://github.com/mozilla/browserid/issues/3119
Henri Sivonen
May 24, 2013, 8:50:27 AM5/24/13
to dev-id...@lists.mozilla.org
On Fri, May 24, 2013 at 2:53 PM, Shane Tomlinson <stoml...@mozilla.com>wrote:
> This has been a long standing sore spot within our group as well, and we
> most definitely want to allow sites to self host include.js [1]. The caveat
> is we want a solution that allows for future changes to the navigator.idAPI without breaking sites that are self-hosting.
> This has been a long standing sore spot within our group as well, and we
> most definitely want to allow sites to self host include.js [1]. The caveat
>
If the navigator.id API changes, won't the site-specific code that calls it
break anyway? Once navigator.id is frozen, it doesn't seem particularly
limiting to freeze the protocol that's spoken over postMessage.
> If you have any ideas or experience on how we can fulfill all the goals,
> please pile on either here on in the referenced issue.
>
After all, once navigator.id goes native in multiple browsers, it won't be
a good idea to keep changing it, so it has to freeze at some point.
I understand it's not frozen yet. I was just curious if there is a timeline
for freezing.
--
Henri Sivonen
hsiv...@hsivonen.fi
Alexandre DELOUP
May 24, 2013, 7:43:24 AM5/24/13
to dev-id...@lists.mozilla.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi!
As far as I know (correct me if I'm wrong), the documentation
encourages you to source the script located at login.persona.org
because Persona is still in a massive development process, so the
script can change very often, so it's a safier way to work, instead of
updating your local copy every time.
Alexandre (quack1)
- --
Unix is user-friendly. It's just very selective about who its friends are.
PGP public key ID : 0xA26B95CD
Le 24/05/2013 13:38, Henri Sivonen a écrit :
> I looked into running a Persona primary for hsivonen.fi and was
> shocked to find that Mozilla tells RPs and IdPs to source scripts
> from https://login.persona.org/ instead of serving their own copies
> of those scripts after reviewing the scripts. It seems to me that
> the reason to source the scripts from Mozilla is that Mozilla isn't
> guaranteeing the stability of the protocol that those scripts
> implement on top of postMessage.
>
> I understand that the vision for Persona is aspirational at this
> point and Persona isn't done yet, but there's a pretty significant
> dissonance between the pitch that Persona lets you choose who you
> trust and requiring you to trust https://login.persona.org/ not to
> pwn your origin.
>
> Is there an expected time line for freezing the protocol
> implemented on top of postMessage so that RPs and IdPs could host
> their own copies of the JavaScript files?
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJRn1JbAAoJEAtPUHyia5XNzmYIAIrv5MTpA+mZlcQjNJsd8JqQ
fT7CNrHwe2uSqiuVWMfNPj5aiOrlxVGZWRN1uF/uwTHNmKPLry8iAwstwOYsu/hY
hNEaxrOxRL3BD0JpezmcB2pDXqzLAwhmqLohyoHnNWwUGw+F6Dy8RdzWGWbi4srr
Pq9hp5P143s+ZmR4yWwSrfvApDzioYWlJzz09aXGqlCuZsjm0cMK2IaDhrkTIyrm
zxciJkFp0q7gzHinJENcX+7YQs/8K3UPA6qQjuNu4/K1id5PAlGum7i1kbTMFxwX
ANgsOcUqfqY76SRXvAQxYNzIvjl/LSTcmklxaae3LTjkxKa0hVh1P6ovB+eWcEA=
=nXzn
-----END PGP SIGNATURE-----
Hash: SHA1
Hi!
As far as I know (correct me if I'm wrong), the documentation
encourages you to source the script located at login.persona.org
because Persona is still in a massive development process, so the
script can change very often, so it's a safier way to work, instead of
updating your local copy every time.
Alexandre (quack1)
- --
Unix is user-friendly. It's just very selective about who its friends are.
PGP public key ID : 0xA26B95CD
Le 24/05/2013 13:38, Henri Sivonen a écrit :
> I looked into running a Persona primary for hsivonen.fi and was
> shocked to find that Mozilla tells RPs and IdPs to source scripts
> from https://login.persona.org/ instead of serving their own copies
> of those scripts after reviewing the scripts. It seems to me that
> the reason to source the scripts from Mozilla is that Mozilla isn't
> guaranteeing the stability of the protocol that those scripts
> implement on top of postMessage.
>
> I understand that the vision for Persona is aspirational at this
> point and Persona isn't done yet, but there's a pretty significant
> dissonance between the pitch that Persona lets you choose who you
> trust and requiring you to trust https://login.persona.org/ not to
> pwn your origin.
>
> Is there an expected time line for freezing the protocol
> implemented on top of postMessage so that RPs and IdPs could host
> their own copies of the JavaScript files?
>
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJRn1JbAAoJEAtPUHyia5XNzmYIAIrv5MTpA+mZlcQjNJsd8JqQ
fT7CNrHwe2uSqiuVWMfNPj5aiOrlxVGZWRN1uF/uwTHNmKPLry8iAwstwOYsu/hY
hNEaxrOxRL3BD0JpezmcB2pDXqzLAwhmqLohyoHnNWwUGw+F6Dy8RdzWGWbi4srr
Pq9hp5P143s+ZmR4yWwSrfvApDzioYWlJzz09aXGqlCuZsjm0cMK2IaDhrkTIyrm
zxciJkFp0q7gzHinJENcX+7YQs/8K3UPA6qQjuNu4/K1id5PAlGum7i1kbTMFxwX
ANgsOcUqfqY76SRXvAQxYNzIvjl/LSTcmklxaae3LTjkxKa0hVh1P6ovB+eWcEA=
=nXzn
-----END PGP SIGNATURE-----
0 new messages