doc: Clarify that Identity.logout() validates CORS

[torarvid]

During the 2.5 hours when a site went live yesterday, we saw some errors that the logout() requests were failing. This was because they were calling it from a http origin, and only the https origin was listed in redirect_uris.

[codecov[bot]]

Codecov Report

Merging #36 into master will not change coverage. The diff coverage is n/a.

@@         Coverage Diff          @@
##           master   #36   +/-   ##
====================================
  Coverage      94%   94%           
====================================
  Files          14    14           
  Lines         400   400           
  Branches       83    83           
====================================
  Hits          376   376           
  Misses         23    23           
  Partials        1     1

Impacted Files	Coverage Δ
src/identity.js	90.97% <ø> (ø)	:arrow_up:

---

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update 31336a0...0d4298f. Read the comment docs.

[vasklund]

I found this now, but it doesn't seem to exist in master anymore? Does this still hold true?

[torarvid]

Nope, since ITP2, we do full-page redirect to the logout flow in Schibsted account

[vasklund]

Oh, right, I should have known that! 😄

It would be nice if it was documented that you still need to have a URL in SelfService where the origin (protocol + domain) matches where you are redirecting back to (in Identity.logout(<redirectUri>)) - it took us a couple of hours of error and trial to figure that one out.