solid
Client identifier and CORS
Currently, the spec doesn't say anything about CORS: clients may not configure CORS for their identifiers, preventing cross-domain requests to this document. The main use case for the client identifier is to be dereferenced by the Solid-OIDC provider, which is going to be a backend service, so this has no impact on it. However, the client identifier not being available cross-domain prevents a client-side Solid app to dereference it to discover information about the client. As it stands, making an app that displays information about clients to a user requires a server-side component because there is no guarantee that the client-side request would work. Should there be a note about this in the spec, either recommending that developers configure CORS for the client identifiers, or warning that looking up a client identifier cross-domain may legitimately fail ?
