Recommendations for Applications#

Applications handling access requests/grants should:

  • Validate the access requests/grants’ URL.

  • Validate the Resource URLs.

  • Use authenticated fetches to fetch the Purpose URLs.

  • Escape the values when displaying Purpose URLs and definition.

  • NOT display the Purpose URLs as links

  • Verify that the requestor is trusted before fetching the profile and extended profile.

  • NOT display WebID as links.

    • If dereferencing profile/extended profile:

      • Escape label values if displaying labels.

      • Validate that the image property is a valid URL if displaying the image.

  • NOT prompt users on their IDP based on the WebID of the Resource’s Owner.