<br><br><div class="gmail_quote">On Wed, Jul 13, 2011 at 10:41 PM, Andrew Arnott <span dir="ltr"><<a href="mailto:andrewarnott@gmail.com">andrewarnott@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div><div class="gmail_quote"><div class="im">On Wed, Jul 13, 2011 at 6:32 AM, John Bradley <span dir="ltr"><<a href="mailto:ve7jtb@ve7jtb.com" target="_blank">ve7jtb@ve7jtb.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word"><div><div><blockquote type="cite"><div class="gmail_quote">On Wed, Jul 13, 2011 at 12:27 PM, Andrew Arnott <span dir="ltr"><<a href="mailto:andrewarnott@gmail.com" target="_blank">andrewarnott@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Some questions, or suggestions regarding the spec...<br>
<br>
Core<br>
Section 4.<br>
Why are UserInfo endpoint responses receivable in JSON? If it's to<br>
make javascript client code easier, then you're encouraging using<br>
"eval" to execute arbitrary code from an untrusted server. Query<br>
string syntax would protect against this, and is at least as friendly<br>
to web servers as JSON is.<br></blockquote><div><br></div><div>It was following OAuth's pattern of getting the response back in JSON </div><div>as well as following Facebook Graph API. </div><div><br></div><div>Perhaps it is better to define a Query string version of response for </div>
<div>the implicit flow. Opinions? > Connectors. </div></div></blockquote><div><br></div></div><div>I don't know that having a key value form encoding of the User info endpoint response necessarily makes sense with some of the claims being JSON objects themselves.</div>
<div><br></div><div>I suppose it is something that we could add as an option if someone can describe a serialization.</div><div><br></div><div>The default response should remain JSON for the user Info endpoint.</div></div>
</div></blockquote><div><br></div></div><div>If the default response should remain JSON, are we going to have in the security section a comment saying RPs running as Javascript clients SHOULD NOT call the UserInfo endpoint and execute its results to deserialize the JSON objects? Do you agree that would be dangerous?</div>
</div></div>
</blockquote></div><div><br></div>Yes. Use <meta charset="utf-8"><span class="Apple-style-span" style="font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace; font-size: 12px; ">json_parse.js or json-sans-eval like JSON parser which does not do eval. </span><br>
<br clear="all"><br>-- <br>Nat Sakimura (=nat)<br><a href="http://www.sakimura.org/en/">http://www.sakimura.org/en/</a><br><a href="http://twitter.com/_nat_en">http://twitter.com/_nat_en</a><br>