Does the redirect with fragment in URL without sending it to the server have been tested with all main browsers ?
On Sun, Aug 1, 2010 at 9:14 PM, Oleg Gryb <oleg_g...@yahoo.com> wrote: > "Redirect URI" below means HTTP response code 302, right? Will not browser > follow? > > > > ----- Original Message ---- > From: Marius Scurtescu <mscurte...@google.com> > To: Oleg Gryb <o...@gryb.info> > Cc: oauth@ietf.org > Sent: Sun, August 1, 2010 11:52:22 AM > Subject: Re: [OAUTH-WG] Is User Agent Profile Secure in OAuth 2.0? > > On Sun, Aug 1, 2010 at 10:59 AM, Oleg Gryb <oleg_g...@yahoo.com> wrote: >> I think OAuth 2.0 (http://tools.ietf.org/html/draft-ietf-oauth-v2-10) >> User Agent profile is not very secure. Please let me know where/if I'm >> wrong. >> >> Let us take a look at step C in Figure 5 : >> >> "Redirect URI with access token in fragment." >> >> It's written everywhere that one should not really put secrets to a >> URL. Access token and that URL are all I need to get an access to the >> protected resource, right? >> >> Let us assume that somebody copy/pasted that URL from a web server's >> access log file or from a Proxy log file and then replayed it 1000 >> times. > > The fragment is not sent by the browser to the server, so it cannot > end up in log files. > > Marius > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
