Obviously. But custom schemes are not really a GET operation. It is whatever the operating system handler defines. It can as easily be configured to just run 'format' as soon as you click it. My point is that when people design their *applications* and register such callback schemes, they should take into account that others may try to abuse it and so it should never do anything harmful to the computer, user, or their application.
EHL > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf > Of Blaine Cook > Sent: Monday, February 23, 2009 1:07 AM > To: [email protected] > Subject: [oauth] Re: OAuth-like user experience examples > > > This is true whether or not OAuth is involved. e.g., > > <a href="skype:911?totallycrashandformateverything=1">click me for > bunnies!</a> > > As long as the principle that GET requests do not modify data applies > equally to desktop, mobile, and web apps, then there's no security > problem. Of course, if someone builds a protocol handler that with a > single click can do Bad Thingsā¢, they have created a security threat. > The link (including callback) in and of itself isn't a threat. > > b. > > On Sun, Feb 22, 2009 at 3:58 AM, Eran Hammer-Lahav > <[email protected]> wrote: > > > > Not all providers will let you register non (verified) HTTP callback > URIs. While it is a pretty useful hack, especially in devices such as > the iPhone where only a single application can occupy the screen at a > time, it can pose a security threat. If you are going to use this > method, make sure that calling your application in this way cannot be > abused by others posting such links in other websites. > > > > EHL > > > >> -----Original Message----- > >> From: [email protected] [mailto:[email protected]] On > Behalf > >> Of Ben Ward > >> Sent: Saturday, February 21, 2009 7:25 PM > >> To: [email protected] > >> Subject: [oauth] Re: OAuth-like user experience examples > >> > >> > >> On 21 Feb 2009, at 11:09, Chris Messina wrote: > >> > >> >> I also see this more as a problem for e.g. the iPhone where you > >> >> usually > >> >> need to close the application in order to jump to safari. This is > >> >> not such a > >> >> problem on the desktop and (as you demonstrate) has been done for > >> >> quite a > >> >> while with flickr. > >> >> > >> > > >> > Pownce actually did this, and I don't think that the experience > was > >> > all that > >> > bad: > >> > > >> > https://wiki.oauth.net/OAuth-for-Pownce-on-iPhone > >> > > >> > With using custom protocol handlers, you can make the experience > >> quite > >> > smooth actually. Confining the user to the task at hand is a bit > >> > harder, but > >> > it's not impossible to handle the case where the user never > completes > >> > authentication. > >> > >> We documented some of that in the Fire Eagle documentation that > Blaine > >> already linked. In fact, you can register x-application:// protocol > >> handlers is usable on all modern OS's; so the technique could be > used > >> on the desktop to skip the 'Now press OK' prompts we have in > existing > >> desktop auth, not just iPhone. (URL for that doc again is: > >> > http://fireeagle.yahoo.net/developer/documentation/oauth_best_practice) > >> > >> Also in the iPhone space, the new GetSatisfaction app has a > beautiful > >> diagrammatic explanation for the Quit -> Safari -> Reopen behaviour, > >> see: http://micro.cjmart.in/post/80075323/ > >> > >> Ben > > > > > > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
