Hi, I would prefer to keep the section general as Michiel suggested. Name it 'Cross-Origin support' and list CORS ans JSONP as examples.
Could it be possible that other methods for Cross-origin support might come up in future? They would not be excluded than. - Stefanie -------- Original-Nachricht -------- > Datum: Thu, 07 Jun 2012 17:40:48 +0200 > Von: Torsten Lodderstedt <tors...@lodderstedt.net> > An: Michiel de Jong <mich...@unhosted.org> > CC: oauth@ietf.org, Marius Scurtescu <mscurte...@google.com>, Stefanie Dronia > <sdro...@gmx.de> > Betreff: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-revocation-00.txt > Hi Michiel, > > I'm fine with both suggestions (also mentioning CORS or not mentioning > JSONP). What do my co-authors and other WG members think? > > regards, > Torsten. > > Am 29.05.2012 14:10, schrieb Michiel de Jong: > > Hi Torsten, > > > > No, it should indeed work fine with CORS. CORS is supported by IE8+, > > FF, Chrome, Safari and Opera12+ (with limited error handling and > > limited verb support in IE8 and IE9, but with POST you should be safe > > afaik). > > > > Note that if you want to support this in combination with implicit > > grant flow (unhosted html5 apps), then you need CORS. > > > > Which made me wonder why you are mentioning JSONP at all? Mentioning > > JSONP as a 'MAY' but not mentioning CORS could send people in the > > wrong direction IMO. So I would rename the section 'JSONP' to 'CORS > > and JSONP', or in general, 'Cross-Origin support', and then start with > > a sentence like: > > > > "The revokation end-point SHOULD support CORS if it is aimed at use in > > combination with the implicit-grant flow. For other flows, it is still > > recommended(?) to support CORS. In addition, for interop with legacy > > user-agents, it MAY offer JSONP. Clients should be aware that when > > relying on JSONP, the revokation end-point MAY ;) inject malicious > > code into the client." > > > > You can tell i don't speak spec lingo, but i hope i'm sort of getting > > my point across, that IMO, CORS is better here than JSONP. > > > > Or: simply not mention JSONP at all. Would that be an option? > > > > > > Cheers, > > Michiel > > > > On Sun, May 27, 2012 at 3:05 PM, Torsten Lodderstedt > > <tors...@lodderstedt.net> wrote: > >> Hi Michiel, > >> > >> shouldn't the revocation POST request work fine with CORS? Or is there > >> something we need to specify in order to make it work? > >> > >> best regards, > >> Torsten. > >> > >> Am 27.05.2012 13:20, schrieb Michiel de Jong: > >> > >>> awesome! just that - first thing that catches the eye right when you > >>> skim the table of contents is: > >>> > >>> why did you use JSONP instead of its CORS? You can read more about > CORS > >>> here: > >>> > >>> http://enable-cors.org/ > >>> > >>> > http://en.wikipedia.org/wiki/Cross-origin_resource_sharing#CORS_relationship_to_JSONP > >>> > >>> On Sun, May 27, 2012 at 10:41 AM,<internet-dra...@ietf.org> wrote: > >>>> A New Internet-Draft is available from the on-line Internet-Drafts > >>>> directories. This draft is a work item of the Web Authorization > Protocol > >>>> Working Group of the IETF. > >>>> > >>>> Title : Token Revocation > >>>> Author(s) : Torsten Lodderstedt > >>>> Stefanie Dronia > >>>> Marius Scurtescu > >>>> Filename : draft-ietf-oauth-revocation-00.txt > >>>> Pages : 6 > >>>> Date : 2012-05-26 > >>>> > >>>> This draft proposes an additional endpoint for OAuth authorization > >>>> servers for revoking tokens. > >>>> > >>>> > >>>> > >>>> A URL for this Internet-Draft is: > >>>> > http://www.ietf.org/internet-drafts/draft-ietf-oauth-revocation-00.txt > >>>> > >>>> Internet-Drafts are also available by anonymous FTP at: > >>>> ftp://ftp.ietf.org/internet-drafts/ > >>>> > >>>> This Internet-Draft can be retrieved at: > >>>> ftp://ftp.ietf.org/internet-drafts/draft-ietf-oauth-revocation-00.txt > >>>> > >>>> The IETF datatracker page for this Internet-Draft is: > >>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-revocation/ > >>>> > >>>> _______________________________________________ > >>>> OAuth mailing list > >>>> OAuth@ietf.org > >>>> https://www.ietf.org/mailman/listinfo/oauth > >>> _______________________________________________ > >>> OAuth mailing list > >>> OAuth@ietf.org > >>> https://www.ietf.org/mailman/listinfo/oauth -- Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
