Recommendations for Applications

Applications handling access requests/grants should:

• Validate the access requests/grants’ URL.

• Validate the Resource URLs.

• Use authenticated fetches to fetch the Purpose URLs.

• Escape the values when displaying Purpose URLs and definition.

• NOT display the Purpose URLs as links

• Verify that the requestor is trusted before fetching the profile and extended profile.

• NOT display WebID as links.

  • If dereferencing profile/extended profile:

    • Escape label values if displaying labels.

    • Validate that the image property is a valid URL if displaying the image.

• NOT prompt users on their IDP based on the WebID of the Resource’s Owner.