Thank you Travis for your feedback!

Am 20.03.18 um 12:48 schrieb Travis Spencer:
> I read through this doc and would like to share a bit of feedback in
> hopes that it helps:
>
> * There is no mention of Content Security Policy (CSP). This is a very
> helpful security mechanism that all OAuth servers and web-based
> clients should implement. I think this needs to be addressed in this
> doc.
>     - No mention of frame breaking scripts for non-CSP aware user agents
>     -  No mention of X-Frame-Options
> * There's no mention of HSTS which all OAuth servers and web-based
> client should implement (or the reverse proxies in front of them
> should)

If I see this correctly, all of these mechanisms fall in the category of
"do web security right" that Jim mentioned, i.e., there are no concrete,
OAuth-specific attacks that would be prevented by these. If so, I think
we should not mention them in the document.

> * The examples only use 302 and don't mention that 303 is safer[1]
>    - Despite what it says in section 1.7 of RFC 6749, many people
> think that a 302 is mandated by OAuth. It would be good to recommend a
> 303 and use examples with other status codes.

Yes, we should address that.

> [1] https://arxiv.org/pdf/1601.01229v2.pdf

(That link, by the way, points to an old version of our paper. There is
an updated version with more attacks and a better presentation:
https://arxiv.org/pdf/1601.01229.pdf)

Thanks again for your feedback!

-Daniel


-- 
SEC - Institute of Information Security
University of Stuttgart
Phone +49 711 685 88468
Universitätsstraße 38 - 70569 Stuttgart - Room 2.434

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to