On Apr 18, 2013, at 9:39 AM, John Kemp <[email protected]> wrote: >> But I am affraid that origin, referer and hosts of request can be modified >> by a third party. >> >> Am I right ? > > In OAuth 1.0a, the HOST HTTP header is included in the OAuth signature (if > you are using the HMAC_SHA1 or RSA_SHA1 signature mechanisms. > > Origin and Referer are NOT included by default in the signature. Depending on > how much control you have over the software doing the signature verification, > you might be able to add other parts of the HTTP request to the signature > verification.
The OP stated that his client is a JavaScript client, which implies that the client cannot keep a secret, which rules out using OAuth 1.0A from the client directly. Adrien: you will need to elaborate more on your client and the attacks you are concerned with. Is the JS running in a browser? Are you worried about man-in-the middle attacks, or that someone will impersonate your client? -- Dick -- You received this message because you are subscribed to the Google Groups "OAuth" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
