hasAccount. Stuart proposes a light-weight API for letting any site know if a user has an account (and is signed in) on another service. I wouldn’t want to deploy this without being confident that my CSRF protection was in order.
Sign in with 
OpenID
I've been planning on using a history trick similar to the one he suggests to offer a friendlier OpenID sign-in form.
Basically, you find an image or page that is only accessed by logged in users, and if they've visited it, then display something like "Have a LiveJournal account? Use ..." by the form.
It's not reliable, but it is a nice optimisation for people who might not otherwise be aware that they have an OpenID.
Another place this would be useful is cutting down the proliferation of "Digg this" buttons. I've seen sites with over a dozen of them! It would be nice if sites like that automatically detected which social surfing sites you use and only showed the relevant ones.
Jim - 28th September 2007 14:16 - #
Is someone really only going to attempt a CSRF attack after making sure you're a user of the site and logged in? Or if they had developed CSRF attacks against 6 sites would it really be necessary to pick out 1 of them most likely to succeed on a user rather than just trying all 6? I mean, what do they have to lose by trying them all out without first checking that you have an account?
The far more likely result of this, I think, is google tracking which services you're a member of and showing you ads for competitors to those services or things related to those services (camera ads for flickr account-holders). Along with every page you go to initiating calls to 10 or 20 different hasAccount URLs.
What I'd find more interesting is a OpenID->profile page URL service, which gives you the URL(s) of profile pages of user(s) associated with a given OpenID. Provided sites let you associate with multiple OpenIDs, didn't provide a way for other people to get a list of all associated OpenIDs, and providers allowed for easy creation of non-guessable aliases/profiles/nyms/whatevers, I think it would still be about as privacy-friendly as posting a user's website on his profile page, just slightly more trustable. Helps more with the Satisfaction signup process described than the other use-cases (like the Digg buttons), but it would still allow for some interesting things. Like a firefox extension for viewing flickr photos/gmail addresses/ebay auctions of the writers of comments on openid-authenticated sites (unless the person decided to use different OpenIDs for commenting and posting photos in order to keep the identities separate).
Anonymous - 28th September 2007 23:29 - #
Jim: really funny you should mention that, I've been thinking about doing exactly that (using the CSS visited link history detection trick to decide which social bookmark links to display) for quite a while. One of us should hurry up and build it!
It looks like somebody's implemented this idea. More discussion on Reddit.
Jim - 28th May 2008 16:01 - #