that's correct - you can use
an auto submit form with GET or use _javascript_
(document.location.replace) or META redirect tag to make the browser do
a GET. We are doing this for a very very long time too - mainly the
_javascript_ method as it helps in restoring the back button
functionality (better UE).
- Praveen
[EMAIL PROTECTED] wrote:
On 7-Nov-06, at 12:34 PM, Recordon, David wrote:
Moving this to the list, I really should have started it there in the
first place.
--David
-----Original Message-----
From: Recordon, David
Sent: Monday, November 06, 2006 2:06 PM
To: 'Dick Hardt'; Josh Hoyt
Subject: RE: IdP's Advertising Both http and https
Hey Dick,
But the security warnings will still exist:
- RP redirects me to http on IdP
- IdP redirects me to https on IdP for login page (warning)
no warning on GET redirects
- I interact with IdP for "trust request" via https
- I submit HTTPS form
- IdP redirects me back to RP via http (warning)
not if you do a GET redirect
Am I missing something here?
redirected POSTs produce a warning, redirected GETs do not
I guess I'm not sure what I think we should do, though don't think
this
is a simple problem.
We built this out with our SXIP 2.0 code. Worked fine. No warnings.
-- Dick
_______________________________________________
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs
|
_______________________________________________
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs
