Fine with me -----Original Message----- From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Torsten Lodderstedt Sent: Thursday, June 07, 2012 8:41 AM To: Michiel de Jong Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-revocation-00.txt
Hi Michiel, I'm fine with both suggestions (also mentioning CORS or not mentioning JSONP). What do my co-authors and other WG members think? regards, Torsten. Am 29.05.2012 14:10, schrieb Michiel de Jong: > Hi Torsten, > > No, it should indeed work fine with CORS. CORS is supported by IE8+, > FF, Chrome, Safari and Opera12+ (with limited error handling and > limited verb support in IE8 and IE9, but with POST you should be safe > afaik). > > Note that if you want to support this in combination with implicit > grant flow (unhosted html5 apps), then you need CORS. > > Which made me wonder why you are mentioning JSONP at all? Mentioning > JSONP as a 'MAY' but not mentioning CORS could send people in the > wrong direction IMO. So I would rename the section 'JSONP' to 'CORS > and JSONP', or in general, 'Cross-Origin support', and then start with > a sentence like: > > "The revokation end-point SHOULD support CORS if it is aimed at use in > combination with the implicit-grant flow. For other flows, it is still > recommended(?) to support CORS. In addition, for interop with legacy > user-agents, it MAY offer JSONP. Clients should be aware that when > relying on JSONP, the revokation end-point MAY ;) inject malicious > code into the client." > > You can tell i don't speak spec lingo, but i hope i'm sort of getting > my point across, that IMO, CORS is better here than JSONP. > > Or: simply not mention JSONP at all. Would that be an option? > > > Cheers, > Michiel > > On Sun, May 27, 2012 at 3:05 PM, Torsten Lodderstedt > <tors...@lodderstedt.net> wrote: >> Hi Michiel, >> >> shouldn't the revocation POST request work fine with CORS? Or is >> there something we need to specify in order to make it work? >> >> best regards, >> Torsten. >> >> Am 27.05.2012 13:20, schrieb Michiel de Jong: >> >>> awesome! just that - first thing that catches the eye right when you >>> skim the table of contents is: >>> >>> why did you use JSONP instead of its CORS? You can read more about >>> CORS >>> here: >>> >>> http://enable-cors.org/ >>> >>> http://en.wikipedia.org/wiki/Cross-origin_resource_sharing#CORS_rela >>> tionship_to_JSONP >>> >>> On Sun, May 27, 2012 at 10:41 AM,<internet-dra...@ietf.org> wrote: >>>> A New Internet-Draft is available from the on-line Internet-Drafts >>>> directories. This draft is a work item of the Web Authorization >>>> Protocol Working Group of the IETF. >>>> >>>> Title : Token Revocation >>>> Author(s) : Torsten Lodderstedt >>>> Stefanie Dronia >>>> Marius Scurtescu >>>> Filename : draft-ietf-oauth-revocation-00.txt >>>> Pages : 6 >>>> Date : 2012-05-26 >>>> >>>> This draft proposes an additional endpoint for OAuth authorization >>>> servers for revoking tokens. >>>> >>>> >>>> >>>> A URL for this Internet-Draft is: >>>> http://www.ietf.org/internet-drafts/draft-ietf-oauth-revocation-00. >>>> txt >>>> >>>> Internet-Drafts are also available by anonymous FTP at: >>>> ftp://ftp.ietf.org/internet-drafts/ >>>> >>>> This Internet-Draft can be retrieved at: >>>> ftp://ftp.ietf.org/internet-drafts/draft-ietf-oauth-revocation-00.t >>>> xt >>>> >>>> The IETF datatracker page for this Internet-Draft is: >>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-revocation/ >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
