On Fri, May 29, 2009 at 5:25 PM, Andrew Arnott <[email protected]> wrote: > I don't think the spec addresses the question at all, but my reading from > section 5.2 suggests that no parameters in the POST entity should be signed > unless the content type is application/x-www-form-urlencoded, which means > that parameters that come along with the image are unsigned.
I agree with your interpretation of the spec. If you care a lot about the integrity of the body, but can't use something simple like https for your purposes, check out http://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/oauth-bodyhash.html. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
