<div><div class="gmail_quote">On Wed, Jul 13, 2011 at 6:32 AM, John Bradley <span dir="ltr"><<a href="mailto:ve7jtb@ve7jtb.com">ve7jtb@ve7jtb.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div style="word-wrap:break-word"><div><div class="im"><blockquote type="cite"><div class="gmail_quote">On Wed, Jul 13, 2011 at 12:27 PM, Andrew Arnott <span dir="ltr"><<a href="mailto:andrewarnott@gmail.com" target="_blank">andrewarnott@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Some questions, or suggestions regarding the spec...<br>
<br>
Core<br>
Section 4.<br>
Why are UserInfo endpoint responses receivable in JSON? If it's to<br>
make javascript client code easier, then you're encouraging using<br>
"eval" to execute arbitrary code from an untrusted server. Query<br>
string syntax would protect against this, and is at least as friendly<br>
to web servers as JSON is.<br></blockquote><div><br></div><div>It was following OAuth's pattern of getting the response back in JSON </div><div>as well as following Facebook Graph API. </div><div><br></div><div>Perhaps it is better to define a Query string version of response for </div>
<div>the implicit flow. Opinions? > Connectors. </div></div></blockquote><div><br></div></div><div>I don't know that having a key value form encoding of the User info endpoint response necessarily makes sense with some of the claims being JSON objects themselves.</div>
<div><br></div><div>I suppose it is something that we could add as an option if someone can describe a serialization.</div><div><br></div><div>The default response should remain JSON for the user Info endpoint.</div></div>
</div></blockquote><div><br></div><div>If the default response should remain JSON, are we going to have in the security section a comment saying RPs running as Javascript clients SHOULD NOT call the UserInfo endpoint and execute its results to deserialize the JSON objects? Do you agree that would be dangerous?</div>
</div></div>