Site icon ivucica blog

Yahoo! OpenID’s XRDS check, Apache2 and PHP

Another continuation of a previous blogging session 🙂

A reminder, we’re talking about this:

Warning: This website has not confirmed its identity with Yahoo! and might be fraudulent. Do not share any personal information with this website unless you are certain it is legitimate.

PHP+Apache2 users out there might be interested in this reminder, which it’s already mentioned on previous post’s checklist, but I’d like to point it out again.

Don’t name your file xrds.xml.php and try to serve it as xrds.xml while changing Content-type to application/xrds+xml in the header. Apache2 is braindead (or used to be) and doesn’t even attempt to execute the file.

Yahoo! sends an Accept header in its HTTP request, listing application/xrds+xml. Apache decides your file is not of correct filetype, and sends Yahoo! the 406 Not Acceptable response. Referring to same file with the .php extension included makes Apache actually execute the file, and then compare the content-type to the accept header from the client.


via blog.vucica.net