On May 4, 9:14 pm, Josh Roesslein wrote: > A simple way to block this attack would be to force the user to login each > time before displaying the approval page (even if there is a SP session > cookie). This way the attacker > can not load the approval page in a frame. They would need the password to > do so. This does impact the user experience a bit, but does solve the issue > 100% unless I over looked something.
That is a solution that I considered but dismissed because of the inconvenience. However after giving it some more thought the inconvenience is not that great. And given that the other solutions are not perfect, it is one that service providers should consider. I updated the "Protection" section of my blog post to include it. Stephen Sclafani --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
