0

desktop application and warnings from yahoo

hello,

my users get this "Warning: This website has not been verified by Yahoo!. For your security, we recommend that you continue only if you trust this website."

when i sign the application i mention that its desktop application so i have no domain to verify.

how can i make this go away?
if i do enter my domain and verify it will yahoo respect calls only from that domain? (would i be able to preform calls from the client desktop?)
what is the different between web and desktop in yahoos eyes?

thanks
Elad

by
3 Replies
  • Hi Elad,

    Did you specify "oauth_callback=oob" in your request? Using that shouldn't lead
    to any warning.

    Callback URL in desktop applications doesn't make sense so we don't require
    any domain verification and don't show any warning. This should be in line with
    your expectation.

    Thanks,
    Yu Wang
    0
  • oob cause the user to manually insert the token, i don't want to add that step for the user.

    what if i use a web base app?
    1- does yahoo look for referer value from the browser? will it respect "localhost" call?
    2- some other mail service gives priority to cookies over oauth authorization header in case it's web base, in desktop case oauth header get the priority, does yahoo works the same?

    thanks
    Elad
    0
  • Hi Elad,

    For security consideration, we have to show user the warning if you specify
    a callback URL that doesn't apply to the desktop application. Consider some
    one who manipulates the request and sets the URL to be evilsite.com.

    Now answers to your two questions:

    - If you use web-based app, then the host part in the callback URL should match
    the host/domain that you have verified when you register the application and
    get a consumer key. Sending localhost as callback_url will mostly lead to
    an error shown to the user, or probably a warning.

    - I don't know why you would need to send user's cookies (issued on yahoo.com)
    in the OAuth flow. Anyway, OAuth headers should take precedence.

    Thanks,
    Yu Wang
    0

Recent Posts

in OAuth General Discussion YDN SDKs