[Openid-specs-ab] Feedback on iframes versus images for logouts

Mike Jones Michael.Jones at microsoft.com
Tue Jun 30 00:52:23 UTC 2015

I asked this question to an engineer who owns Microsoft's logout decisions:

The working group talked about this today and we were wondering if people knew what the advantages of images over iframes are that caused past protocols such as SAML to choose the image route.  Do you have any insights?

I got this answer (which he OK'ed me sharing with the working group):

We plan to go with always doing IFRAME GETs. The pros are:

a.      Allow execution of JavaScript (so RPs can clear HTML5 storage)

b.      Allow the RP to function as an OP and in turn to frame downstream RPs.

We don't see any significant pros of the image based model. SAML/WS-Fed do not describe the image-based mechanism, that was just implementation detail for OrgId/LiveId, no one I've talked to can really bring up any distinct advantages other than the ability for the RP to signal back that signout failed so the OP can render an error page. We also have a precedent for ADFS and ACSv2 doing purely frames, and have not received any negative feedback on that approach.

Thought this would be useful data for the discussion on http://openid.net/specs/openid-connect-logout-1_0.html...

                                                            -- Mike

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150630/94ca8ced/attachment.html>

More information about the Openid-specs-ab mailing list