Hi Torsten, No, it should indeed work fine with CORS. CORS is supported by IE8+, FF, Chrome, Safari and Opera12+ (with limited error handling and limited verb support in IE8 and IE9, but with POST you should be safe afaik).
Note that if you want to support this in combination with implicit grant flow (unhosted html5 apps), then you need CORS. Which made me wonder why you are mentioning JSONP at all? Mentioning JSONP as a 'MAY' but not mentioning CORS could send people in the wrong direction IMO. So I would rename the section 'JSONP' to 'CORS and JSONP', or in general, 'Cross-Origin support', and then start with a sentence like: "The revokation end-point SHOULD support CORS if it is aimed at use in combination with the implicit-grant flow. For other flows, it is still recommended(?) to support CORS. In addition, for interop with legacy user-agents, it MAY offer JSONP. Clients should be aware that when relying on JSONP, the revokation end-point MAY ;) inject malicious code into the client." You can tell i don't speak spec lingo, but i hope i'm sort of getting my point across, that IMO, CORS is better here than JSONP. Or: simply not mention JSONP at all. Would that be an option? Cheers, Michiel On Sun, May 27, 2012 at 3:05 PM, Torsten Lodderstedt <tors...@lodderstedt.net> wrote: > Hi Michiel, > > shouldn't the revocation POST request work fine with CORS? Or is there > something we need to specify in order to make it work? > > best regards, > Torsten. > > Am 27.05.2012 13:20, schrieb Michiel de Jong: > >> awesome! just that - first thing that catches the eye right when you >> skim the table of contents is: >> >> why did you use JSONP instead of its CORS? You can read more about CORS >> here: >> >> http://enable-cors.org/ >> >> http://en.wikipedia.org/wiki/Cross-origin_resource_sharing#CORS_relationship_to_JSONP >> >> On Sun, May 27, 2012 at 10:41 AM,<internet-dra...@ietf.org> wrote: >>> >>> A New Internet-Draft is available from the on-line Internet-Drafts >>> directories. This draft is a work item of the Web Authorization Protocol >>> Working Group of the IETF. >>> >>> Title : Token Revocation >>> Author(s) : Torsten Lodderstedt >>> Stefanie Dronia >>> Marius Scurtescu >>> Filename : draft-ietf-oauth-revocation-00.txt >>> Pages : 6 >>> Date : 2012-05-26 >>> >>> This draft proposes an additional endpoint for OAuth authorization >>> servers for revoking tokens. >>> >>> >>> >>> A URL for this Internet-Draft is: >>> http://www.ietf.org/internet-drafts/draft-ietf-oauth-revocation-00.txt >>> >>> Internet-Drafts are also available by anonymous FTP at: >>> ftp://ftp.ietf.org/internet-drafts/ >>> >>> This Internet-Draft can be retrieved at: >>> ftp://ftp.ietf.org/internet-drafts/draft-ietf-oauth-revocation-00.txt >>> >>> The IETF datatracker page for this Internet-Draft is: >>> https://datatracker.ietf.org/doc/draft-ietf-oauth-revocation/ >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
