+1 to accepting only HTTP POST and preventing cross-site posting. On Apr 2, 2010, at 10:20 AM, Marius Scurtescu wrote:
> On Fri, Apr 2, 2010 at 8:53 AM, Brian Eaton <[email protected]> wrote: >> On Thu, Apr 1, 2010 at 9:18 PM, Allen Tom <[email protected]> wrote: >>> The Auth server should also check for the presence of an HTTP Referrer. >>> There should not be a referrer, since the user should not have clicked on >>> anything to have landed on the screen >> >> I don't think this one is going to work in practice. Manufacturers >> may not point users directly at the OAuth approval page. They are >> going to end up pointing users to something shorter, e.g. >> "http://google.samsung.com";. That web site will then redirect the >> user to the right approval page. > > Then maybe the approval page can white list known referrers? > > > With the device flow the user normally has to go to a page and then > type in a code at that page. If the approval page accepts only HTTP POST > and also prevents cross site posting then session fixation is not that > easy anymore. Now the attacker has to convince the user to follow > a link *and* type a code at that page. > > Marius > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
