Shibboleth Developers

[Patrik Schnellmann <>]

Hi all

On 27.07.10 19:54, Jim Fox wrote:
> Most of our users don't use a really recent IE8, so the new header
> would do them no good. It wouldn't hurt them either. It would be
> nice to have a solution for everyone.
With that broad variety of browsers used and really old versions that are 
still out there, it's almost impossible to have a solution for everyone. I'm 
fine if there's a solution that does not hurt old versions and the latest 
browsers support.

> As far as the login page in an iframe: If you do that the URL of
> the IdP doesn't show up anywhere, does it? How would the user know
That's right. In that case, the user can't verify the login form was sent 
from his IdP.

> this is the IdP's page and not a fake? Why would someone do that?
If an iframe is used to integrate the login form into a page which is sent 
from another server, the user should have good reasons to trust that server. 
Some institutions may chose to use iframes for whatever reason, probably for 
better usability. Are there any who do this on this list?

Anyone whose infrastructure would be affected by using the x-frame-options 
header?

Patrik

--
SWITCH
Serving Swiss Universities
--------------------------
Patrik Schnellmann, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland
phone +41 44 2681559, fax +41 44 2681568
,
 http://www.switch.ch