Merge pull request #166 from oauth-wg/c2bo/cors

paulbastian · web-flow · commit b019cbf1c862 · 2024-08-29T09:31:25.000+02:00
add cors considerations to the http endpoint
diff --git a/draft-ietf-oauth-status-list.md b/draft-ietf-oauth-status-list.md
@@ -59,6 +59,11 @@ normative:
       org: "IANA"
     title: "CBOR Web Token (CWT) Claims"
     target: "https://www.iana.org/assignments/cwt/cwt.xhtml"
+  CORS:
+    author:
+      org: "WHATWG"
+    title: "Fetch Living Standard"
+    target: "https://fetch.spec.whatwg.org/#http-cors-protocol"
 
 informative:
   RFC6749: RFC6749
@@ -424,6 +429,8 @@ To obtain the Status List or Status List Token, the Relying Party MUST send an H
 
 If the Status List is provided by an HTTP endpoint (and not as a Status List Token), the provider of the Status List MUST utilize TLS. Which version(s) should be implemented will vary over time. A TLS server certificate check MUST be performed as defined in Section 5 and 6 of {{RFC6125}}.
 
+The HTTP endpoint SHOULD support the use of Cross-Origin Resource Sharing (CORS) {{CORS}} and/or other methods as appropriate to enable Browser-Based clients to access it.
+
 The Relying Party SHOULD send the following Accept-Header to indicate the requested response type:
 
 - "application/statuslist+json" for Status List in JSON format
@@ -868,6 +875,7 @@ for their valuable contributions, discussions and feedback to this specification
 
 -04
 
+* add CORS considerations to the http endpoint
 * fix reference of Status List in CBOR format
 * added status_list CWT claim key assigned
 * move base64url definition to terminology
