Comment 2 for bug 608920

To test, use Firefox with FireBug installed.

1. Disabled JavaScript
2. Make sure to log out of SSO
3. Go to the test consumer
4. Click "Begin"

You should stop at a page with a single button and no styling.

5. Using FireBug, locate the hidden parameter named "openid.return_to", and add the text "&aaaaaaaa..." (thousands of As) to the end of its value.
6. Click "Continue"
7. Sign in to SSO

If you added enough As in step 5, you will be at another form, "Continue to 3rd-party site" styled in SSO's fashion.

Correct behavior is that this form will not have the CSRF token in it. You may verify this by manually inspecting the form to ensure its absence.

Also, you may submit the form. Because SSO assumes this submits to a 3rd-party site, but the testconsumer is actually local and expects CSRF protection, you will receive a stale page error if the CSRF token is correctly missing.