If you are talking about this spec 
http://openid.net/specs/openid-connect-session-1_0.html 
<http://openid.net/specs/openid-connect-session-1_0.html>,  then the correct 
list for questions is the openid Connect one at 
http://lists.openid.net/mailman/listinfo/openid-specs-ab 
<http://lists.openid.net/mailman/listinfo/openid-specs-ab>.

Session management is not currently a OAuth WG document.

John B.

> On Jan 12, 2015, at 10:11 AM, Brock Allen <brockal...@gmail.com> wrote:
> 
> A couple of questions about the session management spec related to the status 
> change notifications (section 4): 
>  
> 1) Is there a working reference implementation of the JavaScript that goes 
> with the current draft of the spec?
>  
>  
> 2) For the statement from section 4.2: “The OP iframe MUST enforce that the 
> caller has the same origin as its parent frame.” I’m uncertain how to do this 
> in the OP iframe, given that it seems to be a cross-origin security concern 
> to ascertain the origin of the parent window. I don’t think ‘referrer’ is the 
> most reliable approach.
>  
>  
> 3) The spec states that the OP iframe and the RP iframe should be both 
> contained within the main RP window (so the iframes are siblings). Is there a 
> reason the RP iframe can’t contain the OP iframe?
>  
> If it can, then this would address my question #2 above, as the source.window 
> (on the message event args) can be compared to the parent.window to ensure 
> that only the parent is sending the messages.
>  
>  
> Thanks.
>  
> -Brock
>  
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth 
> <https://www.ietf.org/mailman/listinfo/oauth>

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to