@@ -565,16 +565,16 @@ Internet-Draft remoteStorage June 2016
565565
566566 The server MAY expire bearer tokens, and MAY require the user to
567567 register applications as OAuth clients before first use; if no
568- client registration is required, then the server MAY ignore the
569- value of the client_id parameter in favor of relying on the origin
570- of the redirect_uri parameter for unique client identification. See
571- section 4 of [ORIGIN] for computing the Origin .
568+ client registration is required, the server MUST ignore the value of
569+ the client_id parameter in favor of relying on the origin of the
570+ redirect_uri parameter for unique client identification. See section
571+ 4 of [ORIGIN] for computing the origin .
572572
57357311. Storage-first bearer token issuance
574574
575575 To request that the application connects to the user account
576576 <account> ' ' <host>, providers MAY redirect to applications with a
577- ` remotestorage` field in the URL fragment, with the user account as
577+ ' remotestorage' field in the URL fragment, with the user account as
578578 value.
579579
580580 The appplication MUST make sure this request is intended by the
@@ -583,6 +583,11 @@ Internet-Draft remoteStorage June 2016
583583 SHOULD connect to the given provider account, as defined in Section
584584 10.
585585
586+ If the 'remotestorage' field exists in the URL fragment, the
587+ application SHOULD ignore any other parameters such as
588+ 'access_token' or 'state', to ensure compatibility with servers
589+ that implement older versions of this specification.
590+
58659112. Example wire transcripts
587592
588593 The following examples are not normative ("\" indicates a line was
@@ -593,18 +598,18 @@ Internet-Draft remoteStorage June 2016
593598 In application-first, an in-browser application might issue the
594599 following request, using XMLHttpRequest and CORS:
595600
596- GET /.well-known/webfinger?resource=acct:michiel@michielbdejon\
597- g.com HTTP/1.1
598- Host: michielbdejong.com
599-
600- and the server's response might look like this:
601601
602602
603603de Jong [Page 12]
604604
605605Internet-Draft remoteStorage June 2016
606606
607607
608+ GET /.well-known/webfinger?resource=acct:michiel@michielbdejon\
609+ g.com HTTP/1.1
610+ Host: michielbdejong.com
611+
612+ and the server's response might look like this:
608613
609614 HTTP/1.1 200 OK
610615 Access-Control-Allow-Origin: *
@@ -643,18 +648,18 @@ motestorage-06",
643648
644649 GET /oauth/michiel?redirect_uri=https%3A%2F%2Fdrinks-unhosted.5\
645650apps.com%2F&scope=myfavoritedrinks%3Arw&client_id=https%3A%2F%2Fdrinks-\
646- unhosted.5apps.com&response_type=token HTTP/1.1
647- Host: 3pp.io
648-
649- The server's response might look like this (truncated for brevity):
650-
651651
652652
653653de Jong [Page 13]
654654
655655Internet-Draft remoteStorage June 2016
656656
657657
658+ unhosted.5apps.com&response_type=token HTTP/1.1
659+ Host: 3pp.io
660+
661+ The server's response might look like this (truncated for brevity):
662+
658663 HTTP/1.1 200 OK
659664
660665 <!DOCTYPE html>
@@ -694,17 +699,17 @@ low
694699 may affect the server-state, the browser will make a preflight
695700 request first, with the OPTIONS verb, for instance:
696701
697- OPTIONS /storage/michiel/myfavoritedrinks/ HTTP/1.1
698- Host: 3pp.io:4439
699- Access-Control-Request-Method: GET
700- Origin: https://drinks-unhosted.5apps.com
701-
702702
703703de Jong [Page 14]
704704
705705Internet-Draft remoteStorage June 2016
706706
707707
708+
709+ OPTIONS /storage/michiel/myfavoritedrinks/ HTTP/1.1
710+ Host: 3pp.io:4439
711+ Access-Control-Request-Method: GET
712+ Origin: https://drinks-unhosted.5apps.com
708713 Access-Control-Request-Headers: Authorization
709714 Referer: https://drinks-unhosted.5apps.com/
710715
@@ -744,17 +749,17 @@ ntent-Type, Origin, X-Requested-With, If-Match, If-None-Match
744749 A subsequent PUT may contain an 'If-Match' header referring to the
745750 ETag previously returned, like this:
746751
747- PUT /storage/michiel/myfavoritedrinks/test HTTP/1.1
748- Host: 3pp.io:4439
749- Content-Length: 91
750- Origin: https://drinks-unhosted.5apps.com
751-
752752
753753de Jong [Page 15]
754754
755755Internet-Draft remoteStorage June 2016
756756
757757
758+
759+ PUT /storage/michiel/myfavoritedrinks/test HTTP/1.1
760+ Host: 3pp.io:4439
761+ Content-Length: 91
762+ Origin: https://drinks-unhosted.5apps.com
758763 Authorization: Bearer j2YnGtXjzzzHNjkd1CJxoQubA1o=
759764 Content-Type: application/json; charset=UTF-8
760765 Referer: https://drinks-unhosted.5apps.com/
@@ -793,18 +798,18 @@ e.io/spec/modules/myfavoritedrinks/drink"}
793798 Access-Control-Allow-Origin: https://drinks-unhosted.5apps.com
794799 Content-Type: application/json; charset=UTF-8
795800 Content-Length: 106
796- ETag: "1382694048000"
797- Cache-Control: no-cache
798-
799- {"name":"test", "updated":true, "@context":"http://remotestora\
800- ge.io/spec/modules/myfavoritedrinks/drink"}
801801
802802
803803de Jong [Page 16]
804804
805805Internet-Draft remoteStorage June 2016
806806
807807
808+ ETag: "1382694048000"
809+ Cache-Control: no-cache
810+
811+ {"name":"test", "updated":true, "@context":"http://remotestora\
812+ ge.io/spec/modules/myfavoritedrinks/drink"}
808813
809814 If the GET URL would have been "/storage/michiel/myfavoritedrinks/",
810815 a 200 OK response would have a folder description as the response
@@ -843,18 +848,18 @@ charset=UTF-8","Content-Length":106}}}
843848 And the server may respond with a 412 Conflict or a 200 OK status:
844849
845850 HTTP/1.1 412 Conflict
846- Access-Control-Allow-Origin: https://drinks-unhosted.5apps.com
847- ETag: "1382694048000"
848-
849-
850-
851851
852852
853853de Jong [Page 17]
854854
855855Internet-Draft remoteStorage June 2016
856856
857857
858+ Access-Control-Allow-Origin: https://drinks-unhosted.5apps.com
859+ ETag: "1382694048000"
860+
861+
862+
85886313. Distributed versioning
859864
860865 This section is non-normative, and is intended to explain some of
@@ -893,18 +898,18 @@ Internet-Draft remoteStorage June 2016
893898 changes individually.
894899
895900 As an example, the root folder may contain 10 directories,
896- each of which contain 10 directories, which each contain 10
897- documents, so their paths would be for instance '/0/0/1', '/0/0/2',
898- etcetera. Then one GET request to the root folder '/' will be
899- enough to know if any of these 1000 documents has changed.
900-
901901
902902
903903de Jong [Page 18]
904904
905905Internet-Draft remoteStorage June 2016
906906
907907
908+ each of which contain 10 directories, which each contain 10
909+ documents, so their paths would be for instance '/0/0/1', '/0/0/2',
910+ etcetera. Then one GET request to the root folder '/' will be
911+ enough to know if any of these 1000 documents has changed.
912+
908913 Say document '/7/9/2' has changed; then the GET request to '/' will
909914 come back with a different ETag, and entry '7/' will have a
910915 different value in its JSON content. The client could then request
@@ -944,17 +949,17 @@ Internet-Draft remoteStorage June 2016
944949 OAuth dialog and launch dashboard or token revocation interface
945950 SHOULD be on a different origin than the remoteStorage interface.
946951
947- Where the use of bearer tokens is impractical, a user may choose to
948- store documents on hard-to-guess URLs [CAPABILITIES] whose path
949- after <storage_root> starts with '/public/', while sharing this URL
950- only with the intended audience. That way, only parties who know the
951-
952952
953953de Jong [Page 19]
954954
955955Internet-Draft remoteStorage June 2016
956956
957957
958+
959+ Where the use of bearer tokens is impractical, a user may choose to
960+ store documents on hard-to-guess URLs [CAPABILITIES] whose path
961+ after <storage_root> starts with '/public/', while sharing this URL
962+ only with the intended audience. That way, only parties who know the
958963 document's hard-to-guess URL, can access it. The server SHOULD
959964 therefore make an effort to detect and stop brute-force attacks that
960965 attempt to guess the location of such documents.
@@ -993,18 +998,18 @@ Internet-Draft remoteStorage June 2016
993998 Levels", BCP 14, RFC 2119, March 1997.
994999
9951000 [IRI]
996- Duerst, M., "Internationalized Resource Identifiers (IRIs)",
997- RFC 3987, January 2005.
998-
999- [URI]
1000- Fielding, R., "Uniform Resource Identifier (URI): Generic
10011001
10021002
10031003de Jong [Page 20]
10041004
10051005Internet-Draft remoteStorage June 2016
10061006
10071007
1008+ Duerst, M., "Internationalized Resource Identifiers (IRIs)",
1009+ RFC 3987, January 2005.
1010+
1011+ [URI]
1012+ Fielding, R., "Uniform Resource Identifier (URI): Generic
10081013 Syntax", RFC 3986, January 2005.
10091014
10101015 [WEBFINGER]
@@ -1043,18 +1048,18 @@ Internet-Draft remoteStorage June 2016
10431048 [JSON-LD]
10441049 M. Sporny, G. Kellogg, M. Lanthaler, "JSON-LD 1.0", W3C
10451050 Proposed Recommendation,
1046- http://www.w3.org/TR/2014/REC-json-ld-20140116/, January 2014.
1047-
1048- [CORS]
1049- van Kesteren, Anne (ed), "Cross-Origin Resource Sharing --
1050- W3C Candidate Recommendation 29 January 2013",
10511051
10521052
10531053de Jong [Page 21]
10541054
10551055Internet-Draft remoteStorage June 2016
10561056
10571057
1058+ http://www.w3.org/TR/2014/REC-json-ld-20140116/, January 2014.
1059+
1060+ [CORS]
1061+ van Kesteren, Anne (ed), "Cross-Origin Resource Sharing --
1062+ W3C Candidate Recommendation 29 January 2013",
10581063 http://www.w3.org/TR/cors/, January 2013.
10591064
10601065 [KERBEROS]
@@ -1095,9 +1100,4 @@ Internet-Draft remoteStorage June 2016
10951100
10961101
10971102
1098-
1099-
1100-
1101-
1102-
11031103de Jong [Page 22]
0 commit comments