Lover of Ideas (omnifarious) wrote in lj_dev,
Lover of Ideas

  • Mood:

OpenID, Yadis and the X-XRDS-Location header

Edit: It turns out I'm wrong about the spec. I should've read it more carefully. It explicitly allows the <meta> tag version of specifying the X-XRDS-Location header. The remainder of this post is unchanged for posterity.

LJ does not return the X-XRDS-Location for a person's LJ OpenID page (i.e. It returns a <meta http-equiv="X-XRDS-Location" content="" /> tag in the generated page, but not in the headers returned by the webserver.

This isn't very useful. The reason the spec specifies that the header be a webserver header is two-fold:

First an OpenID page may not be HTML at all. It might a JPEG or some other random thing. So you can't count on there being a <meta> tag to use.

Secondly, parsing HTML is hard. People do all kinds of stupid and hairy things with HTML and browsers render it OK, so they don't ever do it right. It's a ridiculous burden to place on an OpenID consumer application to have to parse HTML in order to work.

As proof that LJ does not return the proper X-XRDS-Location header, I submit the following transcript:

$ telnet 80
Connected to (
Escape character is '^]'.
GET / HTTP/1.1
Connection: close

HTTP/1.0 200 OK
Date: Fri, 09 Feb 2007 10:35:54 GMT
Server: Apache
Set-Cookie: ljuniq=obscured_so_you_cant_hack_me expires=sometime;; path=/
Cache-Control: private, proxy-revalidate
Vary: Accept-Encoding
Content-length: 43896
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "">
blah.... blah... blah...

As you can see, no X-XRDS-Location header.

Why is this? Is it going to be fixed anytime soon?


  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded