> Is this a matter of saying they should have an API for these clients which exposes less of the risky activities? That cookies provide a defense against XSS exfiltration? And/or other?
HTTPOnly cookies prevent exfiltration of session or token data stored in cookies. Those cookies can be REPLAYED via XSS (stored request forgery via XSS) but they indeed cannot be stolen. I also reject serverless SPA architectures that store tokens from a wide variety of services, especially for high risk apps that use complex web UI's. The chance of building such things securely for most teams is painfully low. - Jim On 12/7/18 5:27 PM, David Waite wrote: >> On Dec 7, 2018, at 5:50 AM, Jim Manico <j...@manicode.com> wrote: > <snip> >> I still encourage developers who are not XSS guru’s to stick to cookie based >> sessions or stateless artifacts to talk to the back end and keep OAuth >> tokens only flying intra-server. It’s an unpopular opinion, but even >> moderately good XSS defense is equally unpopular > Is this a matter of saying they should have an API for these clients which > exposes less of the risky activities? That cookies provide a defense against > XSS exfiltration? And/or other? > > -DW > > -- Jim Manico Manicode Security https://www.manicode.com _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth