<div dir="ltr">I am no expert on it, but apparently unicode defines bunch of space chars like: <div><br>U+2000 en quad<br>U+2001 em quad<br>U+2002 en space<br>U+2003 em space<br>U+2004 three-per-em space<br>U+2005 four-per-em space</div>
<div><br></div><div>So, my concern is two fold: </div><div><br></div><div><ol><li>If we say "space", if it were to be chosen form NQCHAR, it always will be 0x20. Otherwise, it is ambiguous. <br></li><li>If we allowed the string to be UTF-8, is there not some chance that  underlying processing middleware normalizes these space chars to 0x20? <br>
</li></ol></div><div><br></div><div>Nat</div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">2014-08-19 21:01 GMT+09:00  <span dir="ltr"><<a href="mailto:Axel.Nennker@telekom.de" target="_blank">Axel.Nennker@telekom.de</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="blue" vlink="purple"><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Nat, where do you think that problems might arise? Could you please be more specific?<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Regarding the spec in general:<u></u><u></u></span></p>
<p><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><span>-<span style="font:7.0pt "Times New Roman"">          </span></span></span><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">I guess the spec does the space-delimited-string trickery because some implementations of postMessage barf on message being a JSON object, right?<u></u><u></u></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Do we really need to handle these implementation’s fault? <br>Why not use (example in 4.1)<br></span><span style="font-size:11.0pt;font-family:"Courier New";color:#1f497d">var mes = {‘client_id’: client_id, ‘session_state’:session_state};<br>
</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> and handle this fault through JSON.stringify only if necessary as an implementers note?<br>if the values are JSON strings: do we have a problem with charsets? Or does this potential problem arise from the use of the hash function in the example?<u></u><u></u></span></p>
<pre style="margin-left:36.0pt"><u></u><span style="font-family:"Calibri","sans-serif""><span>-<span style="font:7.0pt "Times New Roman"">          </span></span></span><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">I think that the required test “Validate message origin” should be part of the example<br>
</span><span>   </span>// Do we trust the sender of this message?<u></u><u></u></pre><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">        If (event.origin !== rp_origin)<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">               return;<u></u><u></u></span></p><p><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><span>-<span style="font:7.0pt "Times New Roman"">          </span></span></span><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">The variable “message” appears from nowhere in the example<br>
var message = e.data; // {‘client_id’: client_id, ‘session_state’:session_state}<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Do we really need the hashing stuff in the example? Why the double use of salt in the 4.2 example?</span><span style="font-size:11.0pt;font-family:"Courier New";color:#1f497d"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">-Axel<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><a href="http://www.w3.org/html/wg/drafts/html/master/infrastructure.html#safe-passing-of-structured-data" target="_blank">http://www.w3.org/html/wg/drafts/html/master/infrastructure.html#safe-passing-of-structured-data</a><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><a href="https://developer.mozilla.org/en-US/docs/Web/API/Window.postMessage" target="_blank">https://developer.mozilla.org/en-US/docs/Web/API/Window.postMessage</a><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><br>
<br><u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><div><div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> <a href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank">openid-specs-ab-bounces@lists.openid.net</a> [mailto:<a href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank">openid-specs-ab-bounces@lists.openid.net</a>] <b>On Behalf Of </b>Mike Jones<br>
<b>Sent:</b> Tuesday, August 19, 2014 2:04 AM<br><b>To:</b> Nat Sakimura</span></p><div><div class="h5"><br><b>Cc:</b> <a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a><br>
<b>Subject:</b> Re: [Openid-specs-ab] Session - session_state in UTF-8?<u></u><u></u></div></div><p></p></div></div><div><div class="h5"><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">I’m not sure.  It would be good to hear from implementers.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Nat Sakimura [<a href="mailto:sakimura@gmail.com" target="_blank">mailto:sakimura@gmail.com</a>] <br>
<b>Sent:</b> Monday, August 18, 2014 4:53 PM<br><b>To:</b> Mike Jones<br><b>Cc:</b> <a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a><br><b>Subject:</b> Re: [Openid-specs-ab] Session - session_state in UTF-8?<u></u><u></u></span></p>
<p class="MsoNormal"><u></u> <u></u></p><div><p class="MsoNormal">Agreed. NQCHAR would be good. <u></u><u></u></p><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">Is it a good idea or am I just being overly anxious? <u></u><u></u></p>
</div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">Nat<u></u><u></u></p></div></div><div><p class="MsoNormal" style="margin-bottom:12.0pt"><u></u> <u></u></p><div><p class="MsoNormal">2014-08-19 8:43 GMT+09:00 Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" target="_blank">Michael.Jones@microsoft.com</a>>:<u></u><u></u></p>
<div><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">If we’re going to do this, we should restrict it to the NQCHAR set from <a href="http://tools.ietf.org/html/rfc6749#appendix-A.1" target="_blank">http://tools.ietf.org/html/rfc6749#appendix-A.1</a>:</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p><p class="MsoNormal"><span lang="EN" style="font-family:"Courier New"">     NQCHAR     = %x21 / %x23-5B / %x5D-7E</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">(printable ASCII without double quote or backslash)</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">                                                                -- Mike</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p><p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> <a href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank">openid-specs-ab-bounces@lists.openid.net</a> [mailto:<a href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank">openid-specs-ab-bounces@lists.openid.net</a>] <b>On Behalf Of </b>Nat Sakimura<br>
<b>Sent:</b> Monday, August 18, 2014 4:38 PM<br><b>To:</b> <a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a><br><b>Subject:</b> [Openid-specs-ab] Session - session_state in UTF-8?</span><u></u><u></u></p>
<div><div><p class="MsoNormal"> <u></u><u></u></p><div><div><p class="MsoNormal">One question. This just occurred to me when reading the proposed text on issue #915 ( <a href="https://bitbucket.org/openid/connect/issue/915/" target="_blank">https://bitbucket.org/openid/connect/issue/915/</a> ). <u></u><u></u></p>
</div><div><p class="MsoNormal"> <u></u><u></u></p></div><div><p class="MsoNormal">Do we want to restrict the repertoire allowed in the session_state string? <u></u><u></u></p></div><div><p class="MsoNormal">I am a bit concerned that bunch of unexpected consequences may happen when multi-bytes chars are used in it as it will be transmitted over the http param and usually is dealt with the middleware the software is using. <u></u><u></u></p>
</div><div><p class="MsoNormal">If we are sure that it would not, I am fine with it, but if we are not sure, it may be better to constrain the repertoire to ASCII etc. to be on the safe side. <u></u><u></u></p></div><div>
<p class="MsoNormal"> <u></u><u></u></p></div><div><p class="MsoNormal">Perhaps I should reopen issue #917 (<a href="https://bitbucket.org/openid/connect/issue/917" target="_blank">https://bitbucket.org/openid/connect/issue/917</a>) ? <u></u><u></u></p>
</div><div><p class="MsoNormal"> <u></u><u></u></p></div><p class="MsoNormal">-- <br>Nat Sakimura (=nat)<u></u><u></u></p><div><p class="MsoNormal">Chairman, OpenID Foundation<br><a href="http://nat.sakimura.org/" target="_blank">http://nat.sakimura.org/</a><br>
@_nat_en<u></u><u></u></p></div></div></div></div></div></div></div><p class="MsoNormal"><br><br clear="all"><u></u><u></u></p><div><p class="MsoNormal"><u></u> <u></u></p></div><p class="MsoNormal">-- <br>Nat Sakimura (=nat)<u></u><u></u></p>
<div><p class="MsoNormal">Chairman, OpenID Foundation<br><a href="http://nat.sakimura.org/" target="_blank">http://nat.sakimura.org/</a><br>@_nat_en<u></u><u></u></p></div></div></div></div></div></div></blockquote></div>
<br><br clear="all"><div><br></div>-- <br>Nat Sakimura (=nat)<div>Chairman, OpenID Foundation<br><a href="http://nat.sakimura.org/" target="_blank">http://nat.sakimura.org/</a><br>@_nat_en</div>
</div>