>From my read, it's a combination of browser bugs (it only affects Chrome) and >Facebook's insistence on using the Implicit flow for everything.
While I don't at all care for the "sky is falling" rhetoric that seems to follow OAuth2, the author has some good suggestions for implementations: binding redirect URIs to particular flows, preference for the code flow, not using a default redirect_uri on a hosted domain with user-generated content. But all of these are implementation issues that the OAuth2 protocol can't really address directly. -- Justin On Feb 25, 2013, at 5:42 PM, William Mills <wmills_92...@yahoo.com<mailto:wmills_92...@yahoo.com>> wrote: DOH!!! http://homakov.blogspot.co.uk/2013/02/hacking-facebook-with-oauth2-and-chrome.html ________________________________ From: Phil Hunt <phil.h...@oracle.com<mailto:phil.h...@oracle.com>> To: William Mills <wmills_92...@yahoo.com<mailto:wmills_92...@yahoo.com>> Sent: Monday, February 25, 2013 2:28 PM Subject: Re: [OAUTH-WG] OAuth2 attack surface.... Whats the link? Phil Sent from my phone. On 2013-02-25, at 14:22, William Mills <wmills_92...@yahoo.com<mailto:wmills_92...@yahoo.com>> wrote: I think this is worth a read, I don't have time to dive into this :( _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth