> On 21 Nov 2018, at 08:26, Daniel Fett <danielf+oa...@yes.com> wrote:
>
>> Am 20.11.18 um 13:24 schrieb Neil Madden:
>> If we are discussing this in the context of client-side web apps/SPAs, then
>> surely the threat model includes malicious 3rd party scripts - for which
>> neither token binding nor mTLS constrained tokens are very effective as
>> those scripts run in the same TLS context as the legitimate client?
> Please correct me if I'm wrong, but if a page/SPA/origin includes a malicious
> third party script, the third party script can access all data of that
> JavaScript. It can exfiltrate tokens and/or send requests on behalf of that
> page/SPA/origin (using the page/SPA/origin's TLS context, cookies, etc.).
>
> So I doubt that there is any better solution than token binding or mTLS.
>
> If we assume that an SPA includes a malicious third party script, it is
> completely compromised.
>
No - same origin policy prevents those things. TLS doesn’t have those
protections though because it acts at the transport layer and SOP is an
application-layer concept.
— Neil
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth