After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 709570 - Don't parse DOM if user denied request for spec-compliant services
Don't parse DOM if user denied request for spec-compliant services
Status: RESOLVED FIXED
Product: gnome-online-accounts
Classification: Core
Component: general
unspecified
Other All
: Normal normal
: ---
Assigned To: GNOME Online Accounts maintainer(s)
GNOME Online Accounts maintainer(s)
Depends on:
Blocks:
 
 
Reported: 2013-10-07 14:08 UTC by Debarshi Ray
Modified: 2013-10-07 15:26 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
oauth2: Don't parse the DOM to detect access_denied (6.81 KB, patch)
2013-10-07 14:23 UTC, Debarshi Ray
committed Details | Review
[gnome-3-10] oauth2: Don't parse the DOM to detect access_denied (6.80 KB, patch)
2013-10-07 14:33 UTC, Debarshi Ray
committed Details | Review
[gnome-3-8] oauth2: Don't parse the DOM to detect access_denied (6.84 KB, patch)
2013-10-07 14:46 UTC, Debarshi Ray
committed Details | Review

Description Debarshi Ray 2013-10-07 14:08:03 UTC
Currently we are parsing the DOM to figure out if the user clicked "deny" in the webview while adding an account (see bug 670298).

There are better ways to do this than parsing the DOM if the service is following the specifications correctly. See 4.1.2.1 in https://tools.ietf.org/html/draft-ietf-oauth-v2-23 for the OAuth2 compliant way of doing this.

Parsing the DOM is fragile because it will break if the provider changes the structure of the web pages, as it has now happened for Facebook.

Ofcourse, there are some non-compliant implementations for which we need to fallback to parsing the DOM. eg., Flickr.
Comment 1 Debarshi Ray 2013-10-07 14:23:34 UTC
Created attachment 256628 [details] [review]
oauth2: Don't parse the DOM to detect access_denied
Comment 2 Debarshi Ray 2013-10-07 14:33:37 UTC
Created attachment 256630 [details] [review]
[gnome-3-10] oauth2: Don't parse the DOM to detect access_denied
Comment 3 Debarshi Ray 2013-10-07 14:46:34 UTC
Created attachment 256631 [details] [review]
[gnome-3-8] oauth2: Don't parse the DOM to detect access_denied