This is true whether or not OAuth is involved. e.g., <a href="skype:911?totallycrashandformateverything=1">click me for bunnies!</a>
As long as the principle that GET requests do not modify data applies equally to desktop, mobile, and web apps, then there's no security problem. Of course, if someone builds a protocol handler that with a single click can do Bad Thingsā¢, they have created a security threat. The link (including callback) in and of itself isn't a threat. b. On Sun, Feb 22, 2009 at 3:58 AM, Eran Hammer-Lahav <[email protected]> wrote: > > Not all providers will let you register non (verified) HTTP callback URIs. > While it is a pretty useful hack, especially in devices such as the iPhone > where only a single application can occupy the screen at a time, it can pose > a security threat. If you are going to use this method, make sure that > calling your application in this way cannot be abused by others posting such > links in other websites. > > EHL > >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] On Behalf >> Of Ben Ward >> Sent: Saturday, February 21, 2009 7:25 PM >> To: [email protected] >> Subject: [oauth] Re: OAuth-like user experience examples >> >> >> On 21 Feb 2009, at 11:09, Chris Messina wrote: >> >> >> I also see this more as a problem for e.g. the iPhone where you >> >> usually >> >> need to close the application in order to jump to safari. This is >> >> not such a >> >> problem on the desktop and (as you demonstrate) has been done for >> >> quite a >> >> while with flickr. >> >> >> > >> > Pownce actually did this, and I don't think that the experience was >> > all that >> > bad: >> > >> > https://wiki.oauth.net/OAuth-for-Pownce-on-iPhone >> > >> > With using custom protocol handlers, you can make the experience >> quite >> > smooth actually. Confining the user to the task at hand is a bit >> > harder, but >> > it's not impossible to handle the case where the user never completes >> > authentication. >> >> We documented some of that in the Fire Eagle documentation that Blaine >> already linked. In fact, you can register x-application:// protocol >> handlers is usable on all modern OS's; so the technique could be used >> on the desktop to skip the 'Now press OK' prompts we have in existing >> desktop auth, not just iPhone. (URL for that doc again is: >> http://fireeagle.yahoo.net/developer/documentation/oauth_best_practice) >> >> Also in the iPhone space, the new GetSatisfaction app has a beautiful >> diagrammatic explanation for the Quit -> Safari -> Reopen behaviour, >> see: http://micro.cjmart.in/post/80075323/ >> >> Ben > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
