On Fri, Jul 8, 2011 at 11:39 AM, Eran Hammer-Lahav <e...@hueniverse.com> wrote: > How exactly? They are not confidential by nature, being received via > redirection in the URI query. I know what this sentence is trying to > accomplish but not sure how to do that with normative language. SHOULD > doesn't really work here either.
The browser same origin policy does apply to URI queries. They MUST be kept confidential, i.e. only sent to authorized entities. That covers: - the client web site - the browser _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth