On Fri, Apr 2, 2010 at 8:53 AM, Brian Eaton <bea...@google.com> wrote: > On Thu, Apr 1, 2010 at 9:18 PM, Allen Tom <a...@yahoo-inc.com> wrote: >> The Auth server should also check for the presence of an HTTP Referrer. >> There should not be a referrer, since the user should not have clicked on >> anything to have landed on the screen > > I don't think this one is going to work in practice. Manufacturers > may not point users directly at the OAuth approval page. They are > going to end up pointing users to something shorter, e.g. > "http://google.samsung.com";. That web site will then redirect the > user to the right approval page.
Then maybe the approval page can white list known referrers? With the device flow the user normally has to go to a page and then type in a code at that page. If the approval page accepts only HTTP POST and also prevents cross site posting then session fixation is not that easy anymore. Now the attacker has to convince the user to follow a link *and* type a code at that page. Marius _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
