[Openid-specs-ab] Session Management OP Frame assertions
Nat Sakimura
sakimura at gmail.com
Sun Feb 25 23:10:40 UTC 2018
Please submit the issue to the tracker.
Outlook for Android<https://aka.ms/ghei36> から取得
________________________________
From: Openid-specs-ab <openid-specs-ab-bounces at lists.openid.net> on behalf of Filip Skokan via Openid-specs-ab <openid-specs-ab at lists.openid.net>
Sent: Thursday, February 22, 2018 5:08:26 PM
To: openid-specs-ab at lists.openid.net Ab
Subject: [Openid-specs-ab] Session Management OP Frame assertions
Hello everyone,
from OpenID Connect Session Management 1.0 - draft 28 [4.2. OP iframe]<https://openid.net/specs/openid-connect-session-1_0.html#OPiframe>
> The OP iframe MUST enforce that the caller has the same origin as its parent frame. It MUST reject postMessage requests from any other source origin.
I understand the intetion here but would like to raise a few questions/issues.
1) cross-domain parent origin is not accessible, accessing `window.parent.location.origin` raises a DOMException and other means of reading the url are unreliable and inconsistent at best (accessing `document.referrer` and building the origin url out of it).
2) the parent frame (tab) is not actually the origin of the message, this would be the RP frame which might very well sit on a different subdomain, resulting in another origin.
I can see the example in the specification is not handling this either. Do you have any suggestions, is there something that i am missing? Is this something to be tracked in bitbucket and remove from the draft?
Best,
Filip Skokan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20180225/5ba388a0/attachment.html>
More information about the Openid-specs-ab
mailing list