Releases: remotestorage/spec
Releases · remotestorage/spec
12
07
Breaking for servers:
- The app manifest is no longer guaranteed to contain a 'datastores-access'
field.
Breaking for clients:
- Zero-click login when the app is opened through the
remotestorage=URL
fragment parameter (the storage-first flow) is no longer allowed, the app
should now ask for user confirmation before proceeding to connect. Also, if a
remotestorage=parameter is present, theaccess_token=andscope=
parameters should be ignored.
06
Breaking for servers as well as clients:
- The difference between 401 and 403 http response status was clarified to match
the way they are defined by the Bearer token spec. - In the OAuth dance, client_id should now match the origin of the redirect_uri.
- Content-Range headers are no longer allowed on PUT requests.
- The Expires: 0 header was replaced by Cache-Control: no-cache.
Breaking for servers:
- Apart from GET requests, HEAD requests are also allowed without Authorization
request header on public documents. - Servers that support range requests should now announce this not only through
WebFinger, but also through the HTTP 'Accept-Ranges' header.
Breaking for clients:
- Apart from acct:me@mydomain.com ('me@mydomain.com' in UI), http://mydomain.com/
('mydomain.com' in UI) is now allowed as a user address for WebFinger discovery. - Access-Control-Allow-Origin: * is now also allowed on requests with preflight.
This was changed in the CORS spec, and has already been implemented by all major
browsers. - Item names '.' and '..' are no longer allowed.
Release candidate 1 for spec 06
draft-dejong-remotestorage-06.txt
Breaking for servers as well as clients:
- The difference between 401 and 403 http response status was clarified to match
the way they are defined by the Bearer token spec. - In the OAuth dance, client_id should now match the origin of the redirect_uri.
Breaking for servers:
- Apart from GET requests, HEAD requests are also allowed without Authorization
request header on public folders.
Breaking for clients:
- Apart from acct:me@mydomain.com ('me@mydomain.com' in UI), http://mydomain.com/
('mydomain.com' in UI) is now allowed as a user address for WebFinger discovery. - Access-Control-Allow-Origin: * is now also allowed on requests with preflight.
This was changed in the CORS spec, and has already been implemented by all major
browsers. - Item names '.' and '..' are no longer allowed.
05-rc1
draft-dejong-remotestorage-05.txt (release candidate 1)
Breaking for servers as well as clients:
- The link relation in the WebFinger announcement was updated from 'remotestorage'
to 'http://tools.ietf.org/id/draft-dejong-remotestorage' (issue #78). - The version string in the WebFinger announcement was updated from -04 to -05.
Breaking for clients:
04
Changelog
Breaking for servers as well as clients
- The version string in the WebFinger announcement was updated from -03 to -04
- Implicit auth is now indicated with a
nullproperty instead offalse. - The way to announce support for query parameter bearer tokens and range requests has changed, both for servers that do support it, and servers that don't.
Non-breaking
- Servers may now offer any extension features they want.
- Several mistakes in the text and wire examples were fixed.
- Several confusing formulations in the text were improved.
- Mention "group accounts", to which multiple human users have access.
04-rc5
Release candidate for the -04 spec. See the changelog for more details
04-rc4
Release candidate for the -04 spec. See the changelog for more details