Tom Crane

If the IIIF Auth token can ever be exchanged for a modified, credential-containing URL in this way, the spec needs to be reevaluated for cross site request forgery vulnerabilities. At...

To this end... and even though most of the parts appear to be already present in the IIIF Auth API, and it would be very tempting to start using the...

> reflecting the requests origin in Access-Control-Allow-Origin and setting Access-Control-Allow-Credentials to true. Yes, we want to avoid doing that, for spec simplicity as well as keeping the domain of the...

The 2.0 spec allows `location` to provide a simple form of this functionality, but any more complex token exchange or _scripted_ manipulation of resource requests to include credentials requires further...

Closed as superseded by #2127

Will be done in P4 - see #2281

Is this actually a _Presentation 4_ issue, to be solved then?

TSG Propose close this issue.

The Auth spec does need some implementation notes but they might be ccokbook recipes

Do we need the 2023 version of https://iiif.io/api/auth/1.0/implementation/ ?