Bug 709570 – Don't parse DOM if user denied request for spec-compliant services

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 709570 - Don't parse DOM if user denied request for spec-compliant services


Summary:	Don't parse DOM if user denied request for spec-compliant services


Status:	RESOLVED FIXED

Product:	gnome-online-accounts
Classification:	Core
Component:	general
Version:	unspecified
Hardware:	Other All

Importance:	Normal normal
Target Milestone:	---
Assigned To:	GNOME Online Accounts maintainer(s)
QA Contact:	GNOME Online Accounts maintainer(s)

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2013-10-07 14:08 UTC by Debarshi Ray
Modified:	2013-10-07 15:26 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
oauth2: Don't parse the DOM to detect access_denied (6.81 KB, patch) 2013-10-07 14:23 UTC, Debarshi Ray	committed	Details \| Review
[gnome-3-10] oauth2: Don't parse the DOM to detect access_denied (6.80 KB, patch) 2013-10-07 14:33 UTC, Debarshi Ray	committed	Details \| Review
[gnome-3-8] oauth2: Don't parse the DOM to detect access_denied (6.84 KB, patch) 2013-10-07 14:46 UTC, Debarshi Ray	committed	Details \| Review

Description Debarshi Ray 2013-10-07 14:08:03 UTC

Currently we are parsing the DOM to figure out if the user clicked "deny" in the webview while adding an account (see bug 670298).

There are better ways to do this than parsing the DOM if the service is following the specifications correctly. See 4.1.2.1 in https://tools.ietf.org/html/draft-ietf-oauth-v2-23 for the OAuth2 compliant way of doing this.

Parsing the DOM is fragile because it will break if the provider changes the structure of the web pages, as it has now happened for Facebook.

Ofcourse, there are some non-compliant implementations for which we need to fallback to parsing the DOM. eg., Flickr.

Comment 1 Debarshi Ray 2013-10-07 14:23:34 UTC

Created attachment 256628 [details] [review]
oauth2: Don't parse the DOM to detect access_denied

Comment 2 Debarshi Ray 2013-10-07 14:33:37 UTC

Created attachment 256630 [details] [review]
[gnome-3-10] oauth2: Don't parse the DOM to detect access_denied

Comment 3 Debarshi Ray 2013-10-07 14:46:34 UTC

Created attachment 256631 [details] [review]
[gnome-3-8] oauth2: Don't parse the DOM to detect access_denied