<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:tahoma,new york,times,serif;font-size:10pt"><div style="font-family: tahoma,new york,times,serif; font-size: 10pt;">John,<br><br>The code is correct in that the fragment parameters are posted to<span class="Apple-style-span" style="font-family: arial,helvetica,sans-serif; font-size: 13px;"> '</span><span class="Apple-style-span" style="font-family: arial,helvetica,sans-serif; font-size: 13px;"><a rel="nofollow">https://</a></span><span class="Apple-style-span" style="font-family: arial,helvetica,sans-serif; font-size: 13px;">' + window.location.host + '/catch_response'</span><br>However, in the onreadystatechange function, when response from the POST is a HTTP 200 code, the current window's location is changed<br>params['state']. Unless, param['state'] is an URL, the browser might get an error because the location may not be a valid URL.<br>So I'm
just proposing that the line be changed to some URL so that there is no dependency on the state parameter being a URL.<br>Or we can just delete that line and add some comments to say the UI should be updated or refreshed.<br><br><br><div style="font-family: times new roman,new york,times,serif; font-size: 12pt;"><font face="Tahoma" size="2"><hr size="1"><b><span style="font-weight: bold;">From:</span></b> John Bradley <ve7jtb@ve7jtb.com><br><b><span style="font-weight: bold;">To:</span></b> Edmund Jay <ejay@mgi1.com><br><b><span style="font-weight: bold;">Cc:</span></b> "<openid-specs-ab@lists.openid.net>" <openid-specs-ab@lists.openid.net><br><b><span style="font-weight: bold;">Sent:</span></b> Mon, April 9, 2012 6:52:15 PM<br><b><span style="font-weight: bold;">Subject:</span></b> Re: [Openid-specs-ab] JS Code example for Basic.<br></font><br><base>Edmund,<div><br></div><div>The parameters from the fragment are posted
to <span class="Apple-style-span" style="font-family: arial,helvetica,sans-serif; font-size: 13px;">'</span><span class="Apple-style-span" style="font-family: arial,helvetica,sans-serif; font-size: 13px;"><a rel="nofollow">https://</a></span><span class="Apple-style-span" style="font-family: arial,helvetica,sans-serif; font-size: 13px;">' + window.location.host + '/catch_response'</span></div><div><span class="Apple-style-span" style="font-family: arial,helvetica,sans-serif; font-size: 13px;"><br></span></div><div><span class="Apple-style-span" style="font-family: arial,helvetica,sans-serif; font-size: 13px;">You want the example path to be '/logged_in_site' ?</span></div><div><span class="Apple-style-span" style="font-family: arial,helvetica,sans-serif; font-size: 13px;"><br></span></div><div><span class="Apple-style-span" style="font-family: arial,helvetica,sans-serif; font-size: 13px;">I don't get what you are referring to with the state
parameter.</span></div><div><span class="Apple-style-span" style="font-family: arial,helvetica,sans-serif; font-size: 13px;"><br></span></div><div><span class="Apple-style-span" style="font-family: arial,helvetica,sans-serif; font-size: 13px;">The redirect_uri would need to be <a rel="nofollow" target="_blank" href="https://client.example.com/cb">https://client.example.com/cb</a> that is why I included the GET.</span></div><div><span class="Apple-style-span" style="font-family: arial,helvetica,sans-serif; font-size: 13px;"><br></span></div><div><span class="Apple-style-span" style="font-family: arial,helvetica,sans-serif; font-size: 13px;">I changed the parameter to postBody from queryString to make it clearer.</span></div><div><span class="Apple-style-span" style="font-family: arial,helvetica,sans-serif; font-size: 13px;"><br></span></div><div><span class="Apple-style-span" style="font-family: arial,helvetica,sans-serif; font-size: 13px;">John
B.</span></div><div><br><div><div>On 2012-04-09, at 9:46 PM, Edmund Jay wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><span class="Apple-style-span" style="border-collapse: separate; font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; font-size: medium;"><div><div style="margin: 0px; font-family: tahoma,times,serif; font-size: 10pt;"><div style="margin: 0px;">John,<br><br>The code is correct, but only if the 'state' parameter in the request points a new location where the user-agent will be redirected to after sending the data<br>to the server.<br><br>Otherwise, we should just say write :<br><br><span>window.location = '<a rel="nofollow">https://</a>' + window.location.host</span><span class="Apple-converted-space"> </span>+
'/logged_in_site'<br><br>or something similar.<br><br><br>-- Edmund<br><br><br><br></div><div style="margin: 0px; font-family: tahoma,times,serif; font-size: 10pt;"><br><div style="margin: 0px; font-family: arial,helvetica,sans-serif; font-size: 10pt;"><font face="Tahoma" size="2"><hr size="1"><b><span style="font-weight: bold;">From:</span></b><span class="Apple-converted-space"> </span>John Bradley <<a rel="nofollow" ymailto="mailto:ve7jtb@ve7jtb.com" target="_blank" href="mailto:ve7jtb@ve7jtb.com">ve7jtb@ve7jtb.com</a>><br><b><span style="font-weight: bold;">To:</span></b><span class="Apple-converted-space"> </span>"<<a rel="nofollow" ymailto="mailto:openid-specs-ab@lists.openid.net" target="_blank" href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>>" <<a rel="nofollow" ymailto="mailto:openid-specs-ab@lists.openid.net" target="_blank"
href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>><br><b><span style="font-weight: bold;">Sent:</span></b><span class="Apple-converted-space"> </span>Mon, April 9, 2012 9:13:44 AM<br><b><span style="font-weight: bold;">Subject:</span></b><span class="Apple-converted-space"> </span>[Openid-specs-ab] JS Code example for Basic.<br></font><br>I included a example JS in Basic that could be used by a RP to extract the fragment and post it back to the server.<br><br>I based it on a Google example, but changed it from GET to POST for security reasons.<br><br>I don't expect that it would work in all browsers, and would not work with no script turned on.<br><br>It is a example, covering all the conditions would take away from that.<br><br>I am including it in the email for people to review. <span class="Apple-converted-space"> </span><br><br>I am not a AJAX programer, so it could be wrong.<br><br>Feedback
please.<br><br>John B.<br><br>GET /cb HTTP/1.1<br>Host: <a rel="nofollow" target="_blank" href="http://client.example.com">client.example.com</a><br> <span class="Apple-converted-space"> </span><br> <span class="Apple-converted-space"> </span><br>HTTP/1.1 200 OK<br>Content-Type: text/html; charset=utf-8<br><br><script type="text/javascript"><br><br>// First, parse the query string<br>var params = {}, queryString = location.hash.substring(1),<br> regex = /([^&=]+)=([^&]*)/g, m;<br>while (m = regex.exec(queryString)) {<br> params[decodeURIComponent(m[1])] = decodeURIComponent(m[2]);<br>}<br><br>// And send the token over to the server<br>var req = new XMLHttpRequest();<br>// using POST so query isn't logged<br><span>req.open('POST', '<a rel="nofollow">https://</a>' + window.location.host + '/catch_response',
true);</span><br>req.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');<br><br>req.onreadystatechange = function (e) {<br> if (req.readyState == 4) {<br> if(req.status == 200){<br> window.location = params['state']<br> }<br> else if(req.status == 400) {<br> alert('There was an error processing the token.')<br> }<br> else {<br> alert('something else other than 200 was returned')<br> }<br> }<br>};<br>req.send(queryString);</div></div></div></div></span></blockquote></div><br></div></div></div>
</div></body></html>