New domain for BrowserID, minor security questions #3
Description
Hey, thanks so much for implementing BrowserID! We changed the single "browserid.org" domain to a pair:
- https://login.persona.org/ for include.js
- https://verifier.login.persona.org/ for the /verify action.
I can do a branch and PR for this, but I'm new to Ruby and don't want to break your conventions for handling constants or the relationship between this repo and devise-browserid. (If you aren't attempting to load include.js -- I couldn't tell -- I can just swap in the new constant and do a PR.)
From scanning your code and the net:http docs I couldn't see where you were checking the SSL certification for the /verify domain -- apologies if I missed it. Finally, at https://github.com/ringe/warden-browserid/blob/master/lib/warden-browserid/strategy.rb#L28, does that value come from the client (bad) or from server state (good)?
Thanks again for your awesome support of Persona!
--Sam