Non-recoverable auth failure?
Brad Fitzpatrick
brad at danga.com
Tue Jun 28 19:32:16 PDT 2005
On Tue, 28 Jun 2005, Carl Howells wrote:
> Brad Fitzpatrick wrote:
> > I don't like the idea of introducing a new URL and specifying the security
> > restrictions on what that URL can be (anything under trust_root?).
>
> Huh? The only change I'm proposing (at this point) is removing
> post_grant, and defining the behavior to always be what
> post_grant=return specified before.
Okay, okay, now we're talking.
That proposal I think I actually like. (I also hate the weird
post_grant special cases, btw.)
Let me do some browser tests on some JavaScript stuff right now and get
back to you.
In particular, I want to test an automatic AJAX mode:
-- original window opens a full-sized new window, remembering
the new window's reference
-- new window does identity trust, returns, finds window.opener (if it
still exists after moving between domains?), and then completes
transaction by talking to window.opener
If so (and I think it'll be fine) then I'm all in favor of dropping
post_grant and making the spec say it always returns.
Anybody else for/against that?
- Brad
More information about the yadis
mailing list