Quick thoughts on XAuth

It’s the “common domain cookie” trick from Liberty ID-FF and SAML2, except without the notion of a circle of trust. (Thanks to Praveen for forging the CDC connection in my brain.)


It’s yet another thing you have to opt out of instead of into. (To disable it, visit XAuth.org from each browser you use.)

Pamela is wise.

I was already getting tired of the “social web” about the end of 2009. Does that make me anti-social?

Ugh — seepage.

6 Comments to “Quick thoughts on XAuth”

  1. Robin Wilton 21 April 2010 at 8:22 am #

    Ah – so XAuth is just a “Circle”, then… ;^(

    Interesting. For me, the “Disable” button works in Firefox/Ubuntu, but not in Firefox/Windows.

  2. Pamela Dingle 21 April 2010 at 9:45 am #

    The Disable functionality is a joke. I’d have to disable it in 30 places, just to cover the devices and browsers I use a minimum of once a week. And how permanent is it anyway?

    The only acceptable way I see for this to happen is if I can opt-out at the identity provider such that they do not publish the XAUTH javascript on pages that I load in the first place, and therefore no extend call is made on any browser. I still have to opt out at every identity provider, but at least it’s a persistent, meaningful setting at that point.

  3. Eve 21 April 2010 at 9:54 am #

    Yeah, I’ve been discovering the limitations of disabling all morning. Sigh.

  4. Liz Fraley 22 April 2010 at 5:56 am #

    Camino/MacOSX also failed to disable. iPhone/Safari reported “xauth is unsupported”. Interesting, but it likely won’t last…and I’ll have to remember to check later (never good).

  5. Jean Kaplansky 28 April 2010 at 10:00 am #

    Win XP SP3:

    Google Chrome – successfully disabled
    Firefox 3.6.x – successfully disabled
    MS IE 7.0 – I got nuthin. No response from the disable button in any way shape or form.

    iPad Safari – Success (which is not what I expected since it’s not supported on iphone Safari at all…)

    Mac OSX 10.5.8

    Google Chrome – successfully disabled
    Firefox 3.6.x – successfully disabled
    Camino (one version back from current?) – nuthin. no response whatsoever

  6. Latrent 1 May 2010 at 5:13 pm #

    Instead of disabling it in every browser, edit your OS’s equivalent of the /etc/hosts file and assign it the localhost address. xauth.org

    After a reboot, no browser or application will be able to contact xauth.org for any reason. It might even bring up your local web server if you’re running it. (I’m not so I’m not sure.)