I thought this thread was about https://graph.facebook.com/btaylor returning a HTTP redirect, not about following links returned within the result?
On Thu, May 6, 2010 at 11:28 PM, Manger, James H < [email protected]> wrote: > > Don't you have larger problems if your protected resources are > compromised? > > > > > > There is no compromise. > > It is perfectly normal for a service to return content with links to > arbitrary other sites. > > Even redirects to arbitrary other sites (open redirectors) — thought they > cause some issues — don’t mean the protected resources are compromised. > > It just means clients need to be careful when following links and redirects > on the web, and they need the right info to be able to be careful (such as > when to include a token). > > > > > > All the “connections” in the Facebook API example shown below are to > Facebook. If Facebook allowed user-generated values for some of these that > could point to other sites, it wouldn’t mean Facebook was compromised > technically, but it would mean a token should be include when getting some > but not others. > > > > https://graph.facebook.com/btaylor?metadata=1 > > { > > "id": "220439", > > "name": "Bret Taylor", > > "first_name": "Bret", > > "last_name": "Taylor", > > "link": "http://www.facebook.com/btaylor";, > > "location": { > > "id": 109650795719651, > > "name": "Los Gatos, California" > > }, > > "gender": "male", > > "metadata": { > > "connections": { > > "home": "https://graph.facebook.com/btaylor/home";, > > "feed": "https://graph.facebook.com/btaylor/feed";, > > "friends": "https://graph.facebook.com/btaylor/friends";, > > "family": "https://graph.facebook.com/btaylor/family";, > > "activities": "https://graph.facebook.com/btaylor/activities";, > > "interests": "https://graph.facebook.com/btaylor/interests";, > > "music": "https://graph.facebook.com/btaylor/music";, > > "books": "https://graph.facebook.com/btaylor/books";, > > "movies": "https://graph.facebook.com/btaylor/movies";, > > "television": "https://graph.facebook.com/btaylor/television";, > > "likes": "https://graph.facebook.com/btaylor/likes";, > > "posts": "https://graph.facebook.com/btaylor/posts";, > > "tagged": "https://graph.facebook.com/btaylor/tagged";, > > "statuses": "https://graph.facebook.com/btaylor/statuses";, > > "links": "https://graph.facebook.com/btaylor/links";, > > "notes": "https://graph.facebook.com/btaylor/notes";, > > "photos": "https://graph.facebook.com/btaylor/photos";, > > "albums": "https://graph.facebook.com/btaylor/albums";, > > "events": "https://graph.facebook.com/btaylor/events";, > > "groups": "https://graph.facebook.com/btaylor/groups";, > > "videos": "https://graph.facebook.com/btaylor/videos";, > > "picture": "https://graph.facebook.com/btaylor/picture";, > > "inbox": "https://graph.facebook.com/btaylor/inbox";, > > "outbox": "https://graph.facebook.com/btaylor/outbox";, > > "updates": "https://graph.facebook.com/btaylor/updates"; > > } > > }, > > "type": "user" > > } > > > > > > -- > > James Manger >
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
