Yep, my mistake. Apologies for the spam (including this apology email).
-Brock From: John Bradley [mailto:ve7...@ve7jtb.com] Sent: Monday, January 12, 2015 8:21 AM To: Brock Allen Cc: OAuth@ietf.org Subject: Re: [OAUTH-WG] session status change notification questions If you are talking about this spec http://openid.net/specs/openid-connect-session-1_0.html, then the correct list for questions is the openid Connect one at http://lists.openid.net/mailman/listinfo/openid-specs-ab. Session management is not currently a OAuth WG document. John B. On Jan 12, 2015, at 10:11 AM, Brock Allen <brockal...@gmail.com <mailto:brockal...@gmail.com> > wrote: A couple of questions about the session management spec related to the status change notifications (section 4): 1) Is there a working reference implementation of the JavaScript that goes with the current draft of the spec? 2) For the statement from section 4.2: “The OP iframe MUST enforce that the caller has the same origin as its parent frame.” I’m uncertain how to do this in the OP iframe, given that it seems to be a cross-origin security concern to ascertain the origin of the parent window. I don’t think ‘referrer’ is the most reliable approach. 3) The spec states that the OP iframe and the RP iframe should be both contained within the main RP window (so the iframes are siblings). Is there a reason the RP iframe can’t contain the OP iframe? If it can, then this would address my question #2 above, as the source.window (on the message event args) can be compared to the parent.window to ensure that only the parent is sending the messages. Thanks. -Brock _______________________________________________ OAuth mailing list <mailto:OAuth@ietf.org> OAuth@ietf.org <https://www.ietf.org/mailman/listinfo/oauth> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
