my users get this "Warning: This website has not been verified by Yahoo!. For your security, we recommend that you continue only if you trust this website."
when i sign the application i mention that its desktop application so i have no domain to verify.
how can i make this go away? if i do enter my domain and verify it will yahoo respect calls only from that domain? (would i be able to preform calls from the client desktop?) what is the different between web and desktop in yahoos eyes?
oob cause the user to manually insert the token, i don't want to add that step for the user.
what if i use a web base app? 1- does yahoo look for referer value from the browser? will it respect "localhost" call? 2- some other mail service gives priority to cookies over oauth authorization header in case it's web base, in desktop case oauth header get the priority, does yahoo works the same?
For security consideration, we have to show user the warning if you specify a callback URL that doesn't apply to the desktop application. Consider some one who manipulates the request and sets the URL to be evilsite.com.
Now answers to your two questions:
- If you use web-based app, then the host part in the callback URL should match the host/domain that you have verified when you register the application and get a consumer key. Sending localhost as callback_url will mostly lead to an error shown to the user, or probably a warning.
- I don't know why you would need to send user's cookies (issued on yahoo.com) in the OAuth flow. Anyway, OAuth headers should take precedence.