Yes I thought of this, but if I can do this someone else can too and retrieve the tokens.
Le mercredi 13 mars 2013 11:45:20 UTC+1, Jordano Francisco (UK) a écrit : > On 13/03/2013 10:39, "Arnaud Didry" <[email protected]> wrote: > > > > >Hi Jordona, > > > > > >That's what I understood. My problem is that doing > > >window.opener.postMessage(result, "*") [1] is a possible security threat > > >IMO . > > > > > >Someone could use my oauth client_id to use the api on my behalf and the > > >users authorizations that come along. > > > > > >For example, if the contact app in gaia didn't retrict the postMessage to > > >'app://communications.gaiamobile.org' [2], I suppose could do this : > > > > Perhaps in your case, not knowing the origin, you could setup this in the > > service provider as a parameter. > > > > Cheers! > > > > F. > > > > > > This electronic message contains information from Telefonica UK, Telefonica > Europe or Telefonica Digital which may be privileged or confidential. The > information is intended to be for the use of the individual(s) or entity > named above. If you are not the intended recipient be aware that any > disclosure, copying distribution or use of the contents of this information > is prohibited. If you have received this electronic message in error, please > notify us by telephone or email. > > > > > > Switchboard: +44 (0)113 272 2000 > > Email: [email protected] > > > > Telefonica UK Limited 260 Bath Road, Slough, Berkshire SL1 4DX Registered in > England and Wales: 1743099. VAT number: GB 778 6037 85 > > Telefonica Europe plc 260 Bath Road, Slough, Berkshire SL1 4DX Registered in > England and Wales: 05310128. VAT number: GB 778 6037 85 > > Telefonica Digital Limited 260 Bath Road, Slough, Berkshire SL1 4DX > Registered in England and Wales: 7884976. VAT number: GB 778 6037 85 _______________________________________________ dev-webapps mailing list [email protected] https://lists.mozilla.org/listinfo/dev-webapps
