Identity/Security/RP logo

From MozillaWiki
Jump to: navigation, search

Displaying logos from Relying Parties in the dialog

Relying parties are able to specify an image, through the siteLogo option.

See this related discussion: https://groups.google.com/d/topic/mozilla.dev.identity/OumzKDFTroE/discussion

Risks

  • browser executing scripts contained inside the file
  • large image taking over the visible portion of the dialog and changing the layout in a confusing or malicious way

Mitigations

  • siteLogo must be specified as an absolute path on the RP site, therefore it has the RP as the origin
  • the image be served over HTTPS to avoid mixed content issues
  • since the dialog supplies the img, we can be sure that the layout is not confusing to the end-user and we can use CSS rules on outer elements to enforce

a maximum size

Background