search

1EdTech / openbadges-discussion

A no-code repository for having discussions related to the general technical issues of openbadges.
10 stars 3 forks source link

How to handle spec's same-origin verification requirement with badges being hosted on issuing platforms of different origin #10

Closed threeqube closed 7 years ago

threeqube commented 10 years ago

Thread was originally started here: https://github.com/mozilla/openbadges/issues/1003

ottonomy commented 10 years ago

Just to clarify from my larger comments in the original issue thread, there are two cases with hosted badges to handle:

  1. issuer.json on exampleplatform.net claims to issue badges on behalf of trusteduniversity.edu (this case is an example of using an issuing platform. Q: how can a badge system declare which issuing platform is authentic?)
  2. issuer.json, badgeclass.json, and badgeimg.png are hosted on example.com, and an untrustworthy scoundrel hosts an assertion that references them on a different domain. (Off the top of my head, I can't think of any legitimate uses of this structure for which to make allowances.)

Thanks for discussing, @threeqube and all.

timothyfcook commented 7 years ago

Moving to archive.