[cap-talk] An example of violating POLA?
Jack Lloyd
lloyd at randombit.net
Mon Jun 9 02:31:51 CDT 2008
On Mon, Jun 09, 2008 at 06:45:24AM +0100, Toby Murray wrote:
> Absolutely. The trick is, however, coming up with a means for the user
> to grant Yelp the authority to read the address book. This is perhaps
> even more difficult for web applications than for traditional ones,
It does not seem to me like this problem would be that
difficult. Imagine your mail website, capmail.com, has a button on it
"Grant Site Access to Your Addressbook". You click it and enter the
name of a site (yelp.com) and it generates a new URL
https://capmail.com/randombit/addressbook/<160-bit random number>
which you copy and paste into a form on yelp's site. Then yelp gets
the information it needs via that URL (it might represent either a
static page with your addressbook data, or an XMLRPC/SOAP endpoint,
whatever). If desired, you can later revoke access to your addressbook
for yelp through the same capmail.com interface.
This is not a particularly clever or extendable solution, but for the
access of addressbook data (and I do see a lot of sites wanting you to
enter your email passwords for exactly that reason), it seems like it
would work.
It's 3 am here so perhaps I am missing the fatal flaw.
-Jack
More information about the cap-talk
mailing list