Hi, thanks so much. Will take my time amending this with some help. Smart E11
On Thu, 27 Oct 2022, 02:16 Daniel Fett, <fett=40danielfett...@dmarc.ietf.org> wrote: > Hi Christian, > > thanks for bringing this to our attention! I think the recommendations in > the PR are very helpful and we will consider adding the text to the > document. > > -Daniel > Am 25.10.22 um 15:37 schrieb Christian Mainka: > > Hi, > > we would like to request the inclusion of _in-browser communication > security considerations_ in the OAuth security topics. > > We found that in-browser communications like the postMessage API is widely > used by Clients and Authorization Servers as an alternative to the > standardized HTTP redirects. > If these techniques are used insecurely, OAuth token leaks and injections > are possible. > > We publish our results soon at ACM CCS in November 2022. > The paper is accessible [1]. > > We think that the paragraph about in-browser communications should be > added to the security topics. > We created a pull request [2] to help developers in understanding the > risks and best practices of using in-browser communications in OAuth. > > We are happy to discuss the idea here or directly in the pull request. > > Best regards > Christian > > [1]: "DISTINCT: Identity Theft using In-Browser Communications in > Dual-Window Single Sign-On, https://distinct-sso.com/paper.pdf > > [2]: > https://github.com/oauthstuff/draft-ietf-oauth-security-topics/pull/53 > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth