> Don't you have larger problems if your protected resources are compromised?
There is no compromise. It is perfectly normal for a service to return content with links to arbitrary other sites. Even redirects to arbitrary other sites (open redirectors) — thought they cause some issues — don’t mean the protected resources are compromised. It just means clients need to be careful when following links and redirects on the web, and they need the right info to be able to be careful (such as when to include a token). All the “connections” in the Facebook API example shown below are to Facebook. If Facebook allowed user-generated values for some of these that could point to other sites, it wouldn’t mean Facebook was compromised technically, but it would mean a token should be include when getting some but not others. https://graph.facebook.com/btaylor?metadata=1 { "id": "220439", "name": "Bret Taylor", "first_name": "Bret", "last_name": "Taylor", "link": "http://www.facebook.com/btaylor";, "location": { "id": 109650795719651, "name": "Los Gatos, California" }, "gender": "male", "metadata": { "connections": { "home": "https://graph.facebook.com/btaylor/home";, "feed": "https://graph.facebook.com/btaylor/feed";, "friends": "https://graph.facebook.com/btaylor/friends";, "family": "https://graph.facebook.com/btaylor/family";, "activities": "https://graph.facebook.com/btaylor/activities";, "interests": "https://graph.facebook.com/btaylor/interests";, "music": "https://graph.facebook.com/btaylor/music";, "books": "https://graph.facebook.com/btaylor/books";, "movies": "https://graph.facebook.com/btaylor/movies";, "television": "https://graph.facebook.com/btaylor/television";, "likes": "https://graph.facebook.com/btaylor/likes";, "posts": "https://graph.facebook.com/btaylor/posts";, "tagged": "https://graph.facebook.com/btaylor/tagged";, "statuses": "https://graph.facebook.com/btaylor/statuses";, "links": "https://graph.facebook.com/btaylor/links";, "notes": "https://graph.facebook.com/btaylor/notes";, "photos": "https://graph.facebook.com/btaylor/photos";, "albums": "https://graph.facebook.com/btaylor/albums";, "events": "https://graph.facebook.com/btaylor/events";, "groups": "https://graph.facebook.com/btaylor/groups";, "videos": "https://graph.facebook.com/btaylor/videos";, "picture": "https://graph.facebook.com/btaylor/picture";, "inbox": "https://graph.facebook.com/btaylor/inbox";, "outbox": "https://graph.facebook.com/btaylor/outbox";, "updates": "https://graph.facebook.com/btaylor/updates"; } }, "type": "user" } -- James Manger
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
