> It is basically implementing what's described at > https://wiki.shibboleth.net/confluence/display/IDP30/Cross- > origin+AJAX+requests+for+Shib-protected+resources > The SAML endpoints would suffer from the same vulnerable, right? Yes, and I wouldn't do that either. -- Scott