On Mon, Jun 8, 2009 at 8:37 AM, Blaine Cook <[email protected]> wrote: > FWIW, the approach of using your server to sign requests for a flex > app ultimately (though probably not in practice) has exactly the same > effect as distributing those consumer keys in plain text, except that > you need to do the signature work instead of phishers or other > attackers.
Doesn't it depend on how his server authenticates the flex widget and the user? The same-origin policy and authentication cookies can help you avoid creating a complete signing oracle. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
