6 Oct
2010
6 Oct
'10
8:31 p.m.
Complete side note: it's kind of funny that OpenID let's you specify some completely arbitrary string to appear in the resulting webpage[2].
Any server with that behavior is out of spec. Operating securely requires checking the return_to value against the trust_root, and checking that the return_to value is a valid url. But wordpress being out of spec is what was observed to start this, anyway. So what's the surprise? Carl