Sorry for not being clear. I mean the callback parameter that is included in the authorization url.
On Apr 24, 12:57 am, Eran Hammer-Lahav <e...@hueniverse.com> wrote: > Do you mean why the callback itself isn't signed? Or the parameter? > > EHL > > > -----Original Message----- > > From: oauth@googlegroups.com [mailto:oa...@googlegroups.com] On Behalf > > Of Josh Fraser > > Sent: Thursday, April 23, 2009 11:15 PM > > To: OAuth > > Subject: [oauth] What's the back story on why the callback wasn't > > included in the signature? > > > It seems like a lot of the vulnerability concerns (at least from B-C) > > can be addressed by simply adding the callback to the signature. Is > > there a reason this wasn't included in the spec to begin with? I want > > to make sure I'm not missing something. > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
