Thanks Rifaat, I just published a new version that fixes these references:
https://datatracker.ietf.org/doc/draft-ietf-oauth-browser-based-apps/21/ Aaron On Thu, Dec 19, 2024 at 11:43 AM Rifaat Shekh-Yusef <rifaat.s.i...@gmail.com> wrote: > Hi Philippe, Aaron, > > Few comments on the references: > > It looks like you have two unused references: RFC5116 and RFC9207. > Please, remove them if they are no longer needed. > > > I think the following references should be moved to the normative > reference section: > > *RFC8707* > Section 9.1 has the following bullet point: > >> Use [RFC8707] to restrict access tokens to a single resource > > > *RFC9449* > Section 6.3.4.2.2 has the following text: > >> Browser-based OAuth clients can implement DPoP [RFC9449 >> <https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-20.html#RFC9449>] >> to >> transition from bearer access tokens and bearer refresh tokens to >> sender-constrained tokens. > > > *serviceworker* > Section 8.2 has some normative text around storage of tokens: > >> When aiming to isolate tokens from the application's execution context, >> the Service Worker MUST NOT store tokens in any persistent storage API that >> is shared with the main window. > > > *WebMessaging* > Section 6.3.3.3 has some normative text > >> To guarantee confidentiality and authenticity of messages, both the >> initiator origin and receiver origin of a postMessage MUST be verified >> using the mechanisms inherently provided by the postMessage API (Section >> 9.3.2 in [WebMessaging]). > > > > Thoughts? > > Regards, > Rifaat > > _______________________________________________ > OAuth mailing list -- oauth@ietf.org > To unsubscribe send an email to oauth-le...@ietf.org >
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
