Sunday, November 04, 2007

Supporting Information Cards with Browsers as of the Information Card Profile V1.0

While investigating the issues described in my former post I began to wonder why this all has ever worked... You had this feeling in your computer science life too now and then, right?

My personal history regarding this is: Chuck designed the code of the openinfocard id selector in a way that it worked with early relying parties according to the examples given in THE GUIDE. Our relying party at is designed excactly along the examples from the guide. When I joined the team I did not have to bother with the particular code that did the HTML-object handling. I changed this code several times but I was only adding code needed for e.g. correct/better PPID computation and lately no-SSL support. The major workings of the code were not changed because it handled the examples given in the guide ok. Later new relying parties appeared with javascript triggering and I used Kevin Miller's extension because it handled most of these cases correctly.

After having spent some hours to find the reason why the id selectors stopped to work in some cases I began to think that the behavior of IE7 might not be standard HTML (what ever that is). I think that the examples given in the guide expect the browser to retrieve the value of the object when it is inside a form and pass this value to the RP in the post data. Is this HTML standard behavior expected from browsers?

The Microsoft relying parties listed in OSIS - Relying Party results with Identity Selectors currently use another approach.

function InformationCard1OnClick(doNotSubmit) {
try {
var token = icardInformationCard1.value;
if (!token) {
throw 'ID5006: No token is returned from InformationCard.';
document.getElementById('InformationCard1_TokenId').value = encodeURIComponent(token);
} catch (ex) {
document.getElementById('InformationCard1_ErrorId').innerText = encodeURIComponent(ex.number + '::' + ex.description);
if (!doNotSubmit) {

  • get the object value
  • copy it to the form field
  • and submit

Not only does it make sense it still works with Firefox 2.0.0.[8|9]!

My suggestion: Somebody should write a new version of the guide and change the code of relying parties to this scheme!

I consider some of the other schemes currently in use just tricky/wrong/complex/false.
One relying party, which can not find anymore, changes the object parameters in the submit function. What sense does this make???!!!

To sum it up: It would be nice if having the object inside the form and having the browser add the object's value to the posted data would work, but I am not sure whether this is _standard_. Requiring javascript is maybe not _friendly_, but maybe inevitable. I think that HTML object was invented to handle media types and this does not imply that a parent form should submit the object's value. Doing this explicitly might be better.
Just my 0.2 cent.

No comments: