Merge branch 'main' into 159-remove-requirement-on-matching-iss-values

c2bo · web-flow · commit 1f720badae1d · 2024-08-29T11:35:15.000+02:00
diff --git a/.gitignore b/.gitignore
@@ -23,3 +23,4 @@ report.xml
 __pycache__
 examples/
 !requirements.txt
+.idea/
diff --git a/README.md b/README.md
@@ -28,3 +28,7 @@ $ make
 Command line usage requires that you have the necessary software installed.  See
 [the instructions](https://github.com/martinthomson/i-d-template/blob/main/doc/SETUP.md).
 
+# Testing
+
+You may use this [Cyberchef script](https://gchq.github.io/CyberChef/#recipe=JWT_Decode()JPath_expression('status_list.lst','%5C%5Cn')From_Base64('A-Za-z0-9-_',true,false)Zlib_Inflate(0,0,'Adaptive',false,false)To_Binary('Line%20feed',8)Add_line_numbers()) to quickly analyze a Token Status List in JWT format.
+
diff --git a/draft-ietf-oauth-status-list.md b/draft-ietf-oauth-status-list.md
@@ -59,6 +59,11 @@ normative:
       org: "IANA"
     title: "CBOR Web Token (CWT) Claims"
     target: "https://www.iana.org/assignments/cwt/cwt.xhtml"
+  CORS:
+    author:
+      org: "WHATWG"
+    title: "Fetch Living Standard"
+    target: "https://fetch.spec.whatwg.org/#http-cors-protocol"
 
 informative:
   RFC6749: RFC6749
@@ -420,6 +425,8 @@ To obtain the Status List or Status List Token, the Relying Party MUST send an H
 
 If the Status List is provided by an HTTP endpoint (and not as a Status List Token), the provider of the Status List MUST utilize TLS. Which version(s) should be implemented will vary over time. A TLS server certificate check MUST be performed as defined in Section 5 and 6 of {{RFC6125}}.
 
+The HTTP endpoint SHOULD support the use of Cross-Origin Resource Sharing (CORS) {{CORS}} and/or other methods as appropriate to enable Browser-Based clients to access it.
+
 The Relying Party SHOULD send the following Accept-Header to indicate the requested response type:
 
 - "application/statuslist+json" for Status List in JSON format
@@ -864,6 +871,7 @@ for their valuable contributions, discussions and feedback to this specification
 -04
 
 * remove requirement for matching iss claim in Referenced Token and Status List Token
+* add CORS considerations to the http endpoint
 * fix reference of Status List in CBOR format
 * added status_list CWT claim key assigned
 * move base64url definition to terminology
