Re: [discovery-api] Consolidated comments and questions

On Feb 5, 2013, at 9:36 AM, ext Rich Tibbett wrote:

>> Is it expected that the application will be notified from error messages
>> coming from the protocol level?
> No. We have deliberately obfuscated errors for both privacy and simplicity. The web page only really needs to know if access was granted or not. The cause of any error is not something that needs to bubble up to the web application - unless there are any use cases in which that is essential and warrant us having a further look at this.

+1 to this in general ( though attacks are still possible using timing etc)

regards, Frederick

Frederick Hirsch

Received on Tuesday, 5 February 2013 22:35:36 UTC