Labs/Weave/Identity/Account Manager/Spec/Latest: Difference between revisions

Line 50: Line 50:
The user-agent must follow this set of checks to determine an Account Management Realm on retrieving a resource:
The user-agent must follow this set of checks to determine an Account Management Realm on retrieving a resource:


# If the HTTP response has an "X-Account-Management" HTTP header, the realm is the value of this header.
# If the HTTP response has an "<tt>X-Account-Management</tt>" HTTP header, the realm is the value of this header.
# If there is no X-Account-Management header, the browser SHOULD discover the XRD Host Metadata for the domain of the resource. (as of this writing, this involves making an HTTP request to /.well-known/host-meta, or perhaps a DNS-based system TBD).  If present, this host file should be examined for a LINK element with a "REL" attribute of "AccountManagement"; if that is present the "URI" attribute of the element is the realm.  The user-agent may apply standard HTTP caching practices to this metadata file.
# If there is no <tt>X-Account-Management</tt> header, the browser SHOULD discover the XRD Host Metadata for the domain of the resource. (as of this writing, this involves making an HTTP request to /.well-known/host-meta, or perhaps a DNS-based system TBD).  The user-agent may apply standard HTTP caching practices to this metadata file.


Note that #2 means that an Account Management Realm defined in the Host Metadata applies to all resources on the host that do not provide an "X-Account-Management" header or a value in their HTML content.
Note that #2 means that an Account Management Realm defined in the Host Metadata applies to all resources on the host that do not provide an <tt>X-Account-Management</tt> header or a value in their HTML content.


See also the discussion in Security Considerations, below.
See also the discussion in Security Considerations, below.
946

edits