("Currently you need to be logged in to grant another site permission to know your identity, but this page will eventually let you log in during the same step."); my $identity = LJ::OpenID::is_identity($u, $GET{'identity'}, \%GET); unless ($identity) { return $err->("The site you just came from seems to want to verify an identity that you, as " . LJ::ljuser($u) . ", cannot provide."); } my $site = $GET{'trust_root'}; $site =~ s/\?.*//; return $err->("Invalid site address") unless $site =~ m!^https?://!; # TODO: check URL and see if it contains images or external scripts/css/images, where # an attacker could sniff the validation tokens in the Referer header? if (LJ::did_post()) { return $err->("Possible form tampering detected.") unless LJ::check_form_auth(); my $dur; $body = ""; $dur = "always" if $POST{'yes:always'}; $dur = "once" if $POST{'yes:once'}; LJ::OpenID::add_trust($u, $site, $dur) or return $err->("Failed to save"); $title = "Saved"; $body .= "Permission has been granted. You can now close this window and login to the site you were previously visiting."; if ($GET{"openid.post_grant"} eq "close") { $body .= ""; } elsif ($GET{"openid.post_grant"} eq "return") { my $nos = LJ::OpenID::server(); my $sig_return = $nos->signed_return_url( identity => $GET{'identity'}, return_to => $GET{'return_to'}, trust_root => $GET{'trust_root'}, assoc_handle => $GET{'assoc_handle'}, ); return BML::redirect($sig_return) if $sig_return; return $err->("Failed to make signed return URL."); } return; } $title = "Grant identity validation?"; $body = ""; $body .= ""; $body .= "

"; $body .= LJ::form_auth(); my $dis_site = LJ::ehtml($site); $dis_site =~ s!\*\.!<anything>.!; $body .= "

$dis_site

"; $body .= ""; $body .= ""; $body .= ""; $body .= "

"; return; } _code?> body=> page?>