Open matthieusieben opened 2 months ago
I would argue that data URIs should not be used in the metadata documents, and only https
URIs should be used. If you did wish to support data URIs, then it would obviously increase the size limit you'd need for the whole metadata document .
That's why I went with a non-binding size limit recommendation of 5kb, because I'm aware that there can be certain scenarios where the document may be bigger, particularly with localisation of fields and such.
Well, one advantage of data-uri is that it is easier to let the AS "allow list" a particular image for a particular client, and show that image to the user while authorizing.
When an HTTPS uri is used, the actual file served could be different for the AS and USER, which could help performing phishing attacks.
But I agree that the effect on the document size is not ideal...
When an HTTPS uri is used, the actual file served could be different for the AS and USER, which could help performing phishing attacks.
This is true, but linking directly to a remote file on a security sensitive page would not be advisable; Instead I'd recommend AS's cache media assets such as the application logo
If so, how would it impact the size limit of the whole metadata document ?