On 13/03/2013 10:39, "Arnaud Didry" <[email protected]> wrote:
>Hi Jordona, > >That's what I understood. My problem is that doing >window.opener.postMessage(result, "*") [1] is a possible security threat >IMO . > >Someone could use my oauth client_id to use the api on my behalf and the >users authorizations that come along. > >For example, if the contact app in gaia didn't retrict the postMessage to >'app://communications.gaiamobile.org' [2], I suppose could do this : Perhaps in your case, not knowing the origin, you could setup this in the service provider as a parameter. Cheers! F. This electronic message contains information from Telefonica UK, Telefonica Europe or Telefonica Digital which may be privileged or confidential. The information is intended to be for the use of the individual(s) or entity named above. If you are not the intended recipient be aware that any disclosure, copying distribution or use of the contents of this information is prohibited. If you have received this electronic message in error, please notify us by telephone or email. Switchboard: +44 (0)113 272 2000 Email: [email protected] Telefonica UK Limited 260 Bath Road, Slough, Berkshire SL1 4DX Registered in England and Wales: 1743099. VAT number: GB 778 6037 85 Telefonica Europe plc 260 Bath Road, Slough, Berkshire SL1 4DX Registered in England and Wales: 05310128. VAT number: GB 778 6037 85 Telefonica Digital Limited 260 Bath Road, Slough, Berkshire SL1 4DX Registered in England and Wales: 7884976. VAT number: GB 778 6037 85 _______________________________________________ dev-webapps mailing list [email protected] https://lists.mozilla.org/listinfo/dev-webapps
