Oddbean new post about | logout
dtonon | 10 months ago (raw) | root | parent | reply | flag +1 
 Great PoC Pablo!

As a best practice I would suggest to use only in-page modals, instead of popups; they are quite confusing and some browsers block them.
PABLOF7z | 10 months ago (raw) | root | parent | reply | flag 
 It can't be an in-browser modal though; it's gotta run in it's own domain. That's why twitter/google/facebook/etc all use a real popup for OAuth flows 😅
dtonon | 10 months ago (raw) | root | parent | reply | flag +1 
 Oh right, the same-origin policy stuff!
But you should be able to use modals at least in the process of the account creation, the more critical one, or are there other security concerns?
Or mybe an iframe with a CORS setting on the provider side could be a solution.
PABLOF7z | 10 months ago (raw) | root | parent | reply | flag 
 Yeah, the account creation part where you enter the email and username etc is in-page modal, but then the password stuff must happen on the popup so the client generating the account can’t see it.

It could be done getting absolutely everything in the client but that increases the trust significantly with the client and you also want the nsecBunker domain to have a cookie to authorize new keys without having to login. I’d say that would only make sense if the client and nsecBunker provider are the same entity in that case that would be fine.
dtonon | 10 months ago (raw) | root | parent | reply | flag 
 Got it. Thanks for the details!