David, Yes, you're right, I've should have paid attention to the GET line, not to the URL above. Browser honors fragment sent in Location, but it's not on the GET line.
I've also enabled Tomcat access log and could not find the fragment there. My apologies. --- On Sun, 8/1/10, David Recordon <record...@gmail.com> wrote: From: David Recordon <record...@gmail.com> Subject: Re: [OAUTH-WG] Is User Agent Profile Secure in OAuth 2.0? To: o...@gryb.info Cc: oauth@ietf.org Date: Sunday, August 1, 2010, 8:24 PM Yes, the HTTP request that the browser finally made was: GET / HTTP/1.1 Host: www.google.com The fragment wasn't sent by the browser to the server. --David On Sun, Aug 1, 2010 at 5:12 PM, Oleg Gryb <oleg_g...@yahoo.com> wrote: Here is an example with Location header. I don't see URI with access token been truncated. See Location header generated by JSP and actual redirect that browser followed below. red.jsp (Running on local Tomcat): <% String url = "http://www.google.com#access_token=123"; response.sendRedirect(url); %> Live HTTP headers trace for Iceweasel Browser: http://localhost:8080/red.jsp GET /red.jsp HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.7) Gecko/2009032018 Mozilla/3.0.12 (Debian-3.0.12-1) Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive HTTP/1.x 302 Moved Temporarily Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=236DAD3EA6288BDC6A780CFFFB9F83E2; Path=/ Location: http://www.google.com#access_token=123 Content-Type: text/html;charset=ISO-8859-1 Content-Length: 0 Date: Mon, 02 Aug 2010 00:18:01 GMT ---------------------------------------------------------- http://www.google.com/#access_token=123 GET / HTTP/1.1 Host: www.google.com --- On Sun, 8/1/10, Oleg Gryb <oleg_g...@yahoo.com> wrote: > From: Oleg Gryb <oleg_g...@yahoo.com> > Subject: Re: [OAUTH-WG] Is User Agent Profile Secure in OAuth 2.0? > To: "Marius Scurtescu" <mscurte...@google.com>, "Bouiaw" <bou...@gmail.com> > Cc: oauth@ietf.org > Date: Sunday, August 1, 2010, 7:18 PM > I'll need to check if it's true for > dynamic redirects that use Location header, > but right now I can provide an example where JavaScripts > are used for redirects > in which case access token is send in a URL. > > Let us assume that you've implemented an endpoint on your > authz server as a JSP > that populates access token dynamically: > > <html> > <body onload="window.location.href = > 'http://www.google.com#access_token=<%=var_with_token%>'"> > </body> > </html> > > After JSP container expanded the variable, the response > that browser will see > looks as follows: > > > <html> > <body onload="window.location.href = > 'http://www.google.com#access_token=123'"> > </body> > </html> > > To test the page above, I put it to my local Apache web > server and then accessed > it using Iceweasel browser. I've used HTTP Live Headers to > see all redirects. > The trace is below. Please let me know what I'm missing. > The last GET has access > token in it. > > http://localhost/red.html > > GET /red.html HTTP/1.1 > Host: localhost > User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; > rv:1.9.0.7) Gecko/2009032018 > Mozilla/3.0.12 (Debian-3.0.12-1) > Accept: > text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > Accept-Language: en-us,en;q=0.5 > Accept-Encoding: gzip,deflate > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 > Keep-Alive: 300 > Connection: keep-alive > If-Modified-Since: Sun, 01 Aug 2010 23:15:07 GMT > If-None-Match: "dfa53-67-48ccb4133b4c0"-gzip > > HTTP/1.x 200 OK > Date: Sun, 01 Aug 2010 23:16:17 GMT > Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny2 with > Suhosin-Patch > mod_python/3.3.1 Python/2.5.2 mod_perl/2.0.4 Perl/v5.10.0 > Last-Modified: Sun, 01 Aug 2010 23:15:07 GMT > Etag: "dfa53-67-48ccb4133b4c0"-gzip > Accept-Ranges: bytes > Vary: Accept-Encoding > Content-Encoding: gzip > Content-Length: 110 > Keep-Alive: timeout=15, max=100 > Connection: Keep-Alive > Content-Type: text/html > ---------------------------------------------------------- > http://www.google.com/#access_token=123 > > GET / HTTP/1.1 > Host: www.google.com > User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; > rv:1.9.0.7) Gecko/2009032018 > Mozilla/3.0.12 (Debian-3.0.12-1) > Accept: > text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > Accept-Language: en-us,en;q=0.5 > Accept-Encoding: gzip,deflate > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 > Keep-Alive: 300 > Connection: keep-alive > Referer: http://localhost/red.html > Cookie: > PREF=ID=0f1fa5297d3f9d6a:U=f5ef3a217b0cd5bf:TM=1277864220:LM=1278796823:GM=1:S=j8uhrMH9ofdi5YZo; > NID=37=J2gm7WZsItUM0qhpdyYDiOyE7XuO0tWvSWtOcBpgWZ-Y3Rrb6XJC46TcHkHOqiMUF1ClrcG9JZQ9l0BN8eJUinfWIgsUEw7NuCwphBhwjO1odRifOKngacoHcy83E1wd; > ; > SID=DQAAAHcAAADE79x4u_-iBaW7H0MKg1k42z-x8maC4Cm3nUsu68UmsWtkeKZ1cRpG9_YxNhRNeSqGpeRGwyxyMUFtyLBEtfpwt76t_RgE0BTQRig2NqD82bmbcf_CTC0Eu-7HjxNw_n6cW1gkWrUPS46aCzkeIDHAJHDMoVOrrmkVe3lcOGZ1ZQ; > HSID=ASoUGayYF7At1XErl > > > > > > > > ----- Original Message ---- > From: Marius Scurtescu <mscurte...@google.com> > To: Bouiaw <bou...@gmail.com> > Cc: Oleg Gryb <o...@gryb.info>; > oauth@ietf.org > Sent: Sun, August 1, 2010 1:03:36 PM > Subject: Re: [OAUTH-WG] Is User Agent Profile Secure in > OAuth 2.0? > > On Sun, Aug 1, 2010 at 12:22 PM, Bouiaw <bou...@gmail.com> > wrote: > > Does the redirect with fragment in URL without sending > it to the > > server have been tested with all main browsers ? > > AFAIK this is how all major browsers behave. Does anyone > know > otherwise? Browsers that don't respect this? > > Marius > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth -----Inline Attachment Follows----- _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth