On Wed, Jul 7, 2010 at 12:47 PM, Eran Hammer-Lahav <e...@hueniverse.com> wrote: > The issue is that it is hard (or even impossible) to prevent another > user-agent client from imitating another user-agent client. A pre-registered > redirection URI does very little to help. In most cases, such a URI will > point to a web page with a script that will extract the information and pass > it to the parent frame. This means any client can get hold of the access > token as long as it was the parent.
The script doesn't have to naively pass information to the parent. It could either make an explicit check to make sure the parent is in the same domain, or rely on communication techniques that respect the same-origin policy. Pros: With a pre-registered redirection URI, this prevents the specific case you mentioned above. Are there other cases where this wouldn't work? Cons: Requiring such a check would add implementation load to clients. Servers would not know if the (good-guy) client is conformant. Does it break the user-agent flow entirely? Are there implementations that require this blind cross domain communication? Mike --mdawaffe _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
