2020-01-25 UTC
# [dmitshur] Have you considered the case of reducing the potential damage of forgetting to sanitize user-posted content on the page you use for signing in (via RelMeAuth)? If someone manages to inject a rel=me link, there’s a greater chance they can sign in via your domain unintentionally. Requering bidirectional account linking helps reduce that risk, but so does moving/copying rel=me links from body to headers.