On Thu, Apr 1, 2010 at 9:18 PM, Allen Tom <[email protected]> wrote: > The Auth server should also check for the presence of an HTTP Referrer. > There should not be a referrer, since the user should not have clicked on > anything to have landed on the screen
I don't think this one is going to work in practice. Manufacturers may not point users directly at the OAuth approval page. They are going to end up pointing users to something shorter, e.g. "http://google.samsung.com";. That web site will then redirect the user to the right approval page. Otherwise we end up needing to tell users to manually type-in long, complex urls like https://www.google.com/accounts/OAuthAuthorize?client_id=1238979. Cheers, Brian _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
