[Openid-specs-ab] Session Management OP Frame assertions
Filip Skokan
panva.ip at gmail.com
Thu Feb 22 08:08:26 UTC 2018
Hello everyone,
from OpenID Connect Session Management 1.0 - draft 28 [4.2. OP iframe]
<https://openid.net/specs/openid-connect-session-1_0.html#OPiframe>
> The OP iframe MUST enforce that the caller has the same origin as its
parent frame. It MUST reject postMessage requests from any other source
origin.
I understand the intetion here but would like to raise a few
questions/issues.
1) cross-domain parent origin is not accessible, accessing
`window.parent.location.origin` raises a DOMException and other means of
reading the url are unreliable and inconsistent at best (accessing
`document.referrer` and building the origin url out of it).
2) the parent frame (tab) is not actually the origin of the message, this
would be the RP frame which might very well sit on a different subdomain,
resulting in another origin.
I can see the example in the specification is not handling this either. Do
you have any suggestions, is there something that i am missing? Is this
something to be tracked in bitbucket and remove from the draft?
Best,
*Filip Skokan*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20180222/22748434/attachment.html>
More information about the Openid-specs-ab
mailing list