If you are talking about this spec http://openid.net/specs/openid-connect-session-1_0.html <http://openid.net/specs/openid-connect-session-1_0.html>, then the correct list for questions is the openid Connect one at http://lists.openid.net/mailman/listinfo/openid-specs-ab <http://lists.openid.net/mailman/listinfo/openid-specs-ab>.
Session management is not currently a OAuth WG document. John B. > On Jan 12, 2015, at 10:11 AM, Brock Allen <brockal...@gmail.com> wrote: > > A couple of questions about the session management spec related to the status > change notifications (section 4): > > 1) Is there a working reference implementation of the JavaScript that goes > with the current draft of the spec? > > > 2) For the statement from section 4.2: “The OP iframe MUST enforce that the > caller has the same origin as its parent frame.” I’m uncertain how to do this > in the OP iframe, given that it seems to be a cross-origin security concern > to ascertain the origin of the parent window. I don’t think ‘referrer’ is the > most reliable approach. > > > 3) The spec states that the OP iframe and the RP iframe should be both > contained within the main RP window (so the iframes are siblings). Is there a > reason the RP iframe can’t contain the OP iframe? > > If it can, then this would address my question #2 above, as the source.window > (on the message event args) can be compared to the parent.window to ensure > that only the parent is sending the messages. > > > Thanks. > > -Brock > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > <https://www.ietf.org/mailman/listinfo/oauth>
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth