Agreed, though we can't assume that there won't be other browser bugs that can be exploited in similar ways.
Facebook automatically adding there debug page to the redirect URI of every client was... We need to reenforce care around redirect URI, Connect is much more restrictive than OAuth. I think client registering it's response types is a good idea, I see it is already in the IETF registration spec. John B. On 2013-02-25, at 2:58 PM, "Richer, Justin P." <jric...@mitre.org> wrote: > From my read, it's a combination of browser bugs (it only affects Chrome) and > Facebook's insistence on using the Implicit flow for everything. > > While I don't at all care for the "sky is falling" rhetoric that seems to > follow OAuth2, the author has some good suggestions for implementations: > binding redirect URIs to particular flows, preference for the code flow, not > using a default redirect_uri on a hosted domain with user-generated content. > > But all of these are implementation issues that the OAuth2 protocol can't > really address directly. > > -- Justin > > > On Feb 25, 2013, at 5:42 PM, William Mills <wmills_92...@yahoo.com> wrote: > >> >> >> DOH!!! >> http://homakov.blogspot.co.uk/2013/02/hacking-facebook-with-oauth2-and-chrome.html >> >> From: Phil Hunt <phil.h...@oracle.com> >> To: William Mills <wmills_92...@yahoo.com> >> Sent: Monday, February 25, 2013 2:28 PM >> Subject: Re: [OAUTH-WG] OAuth2 attack surface.... >> >> Whats the link? >> >> Phil >> >> Sent from my phone. >> >> On 2013-02-25, at 14:22, William Mills <wmills_92...@yahoo.com> wrote: >> >>> I think this is worth a read, I don't have time to dive into this :( >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
