What about browsing history? I've just run the JSP below in Tomcat and found out that Firefox remembers the redirect in the browsing history. It'll be a problem in a shared desktop or Internet kiosk environment.
JSP: <% String url = "http://localhost:8080#access_token=123";; response.sendRedirect(url); %> The URL that I can see in Firefox->History: http://localhost:8080#access_token=123 Why don't you want to send the access token in a response's body along with a JavaScript that will redirect the browser to the URL without token on page load? Oleg. ________________________________ From: Oleg Gryb <oleg_g...@yahoo.com> To: David Recordon <record...@gmail.com> Cc: oauth@ietf.org Sent: Sun, August 1, 2010 7:47:52 PM Subject: Re: [OAUTH-WG] Is User Agent Profile Secure in OAuth 2.0? I've just verified Ruby and Perl's user agents as well: both worked as expected - no fragments in the web log files. It adds confidence. Thanks to everyone who has answered. The code that I've used is below: -------------------------------------------------------------------------------- use LWP; my $browser = LWP::UserAgent->new; if ($browser) { $browser->agent("User-Agent: Mozilla/4.0"); my $req = HTTP::Request->new(GET => "http://localhost:8080/tmp#access_token=123";); my $res = $browser->request($req); } ------------------------------------------------------------------------------- require "httpclient.rb" client = HTTPClient.new client.get('http://localhost:8080/ruby#access_token=123') --- On Sun, 8/1/10, Oleg Gryb <oleg_g...@yahoo.com> wrote: >From: Oleg Gryb <oleg_g...@yahoo.com> >Subject: Re: [OAUTH-WG] Is User Agent Profile Secure in OAuth 2.0? >To: o...@gryb.info, "David Recordon" <record...@gmail.com> >Cc: oauth@ietf.org >Date: Sunday, August 1, 2010, 8:42 PM > > >David, > >Yes, you're right, I've should have paid attention to the GET line, not to the >URL above. Browser honors fragment sent in Location, but it's not on the GET >line. > > >I've also enabled Tomcat access log and could not find the fragment there. > >My apologies. > >--- On Sun, 8/1/10, David Recordon <record...@gmail.com> wrote: > > >>From: David Recordon <record...@gmail.com> >>Subject: Re: [OAUTH-WG] Is User Agent Profile Secure in OAuth 2.0? >>To: o...@gryb.info >>Cc: oauth@ietf.org >>Date: Sunday, August 1, 2010, 8:24 PM >> >> >>Yes, the HTTP request that the browser finally made was: >>GET / HTTP/1.1 >Host: www.google.com The fragment wasn't sent by the browser to the server. --David On Sun, Aug 1, 2010 at 5:12 PM, Oleg Gryb <oleg_g...@yahoo.com> wrote: Here is an example with Location header. I don't see URI with access token been truncated. See Location header generated by JSP and actual redirect that browser followed below. > >red.jsp (Running on local Tomcat): > ><% String url = "http://www.google.com#access_token=123";; >response.sendRedirect(url); %> > >Live HTTP headers trace for Iceweasel Browser: > >http://localhost:8080/red.jsp > >GET /red.jsp HTTP/1.1 >Host: localhost:8080 > >User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.7) >Gecko/2009032018 >Mozilla/3.0.12 (Debian-3.0.12-1) >Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 >Accept-Language: en-us,en;q=0.5 >Accept-Encoding: gzip,deflate >Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 >Keep-Alive: 300 >Connection: keep-alive > >HTTP/1.x 302 Moved Temporarily >Server: Apache-Coyote/1.1 >Set-Cookie: JSESSIONID=236DAD3EA6288BDC6A780CFFFB9F83E2; Path=/ >Location: http://www.google.com#access_token=123 >Content-Type: text/html;charset=ISO-8859-1 >Content-Length: 0 >Date: Mon, 02 Aug 2010 00:18:01 GMT > >---------------------------------------------------------- >http://www.google.com/#access_token=123 > >GET / HTTP/1.1 >Host: www.google.com > > >--- On Sun, 8/1/10, Oleg Gryb <oleg_g...@yahoo.com> wrote: > >> From: Oleg Gryb <oleg_g...@yahoo.com> > >> Subject: Re: [OAUTH-WG] Is User Agent Profile Secure in OAuth 2.0? >> To: "Marius Scurtescu" <mscurte...@google.com>, "Bouiaw" <bou...@gmail.com> >> Cc: oauth@ietf.org >> Date: Sunday, August 1, 2010, 7:18 PM > >> I'll need to check if it's true for >> dynamic redirects that use Location header, >> but right now I can provide an example where JavaScripts >> are used for redirects >> in which case access token is send in a URL. >> >> Let us assume that you've implemented an endpoint on your >> authz server as a JSP >> that populates access token dynamically: >> >> <html> >> <body onload="window.location.href = >> 'http://www.google.com#access_token=<%=var_with_token%>'"> >> </body> >> </html> >> >> After JSP container expanded the variable, the response >> that browser will see >> looks as follows: >> >> >> <html> >> <body onload="window.location.href = >'http://www.google.com#access_token=123'"> >> </body> >> </html> >> >> To test the page above, I put it to my local Apache web >> server and then accessed >> it using Iceweasel browser. I've used HTTP Live Headers to >> see all redirects. >> The trace is below. Please let me know what I'm missing. >> The last GET has access >> token in it. >> >> http://localhost/red.html >> >> GET /red.html HTTP/1.1 >> Host: localhost >> User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; >> rv:1.9.0.7) Gecko/2009032018 >> Mozilla/3.0.12 (Debian-3.0.12-1) >> Accept: >> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 >> Accept-Language: en-us,en;q=0.5 >> Accept-Encoding: gzip,deflate >> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 >> Keep-Alive: 300 >> Connection: keep-alive >> If-Modified-Since: Sun, 01 Aug 2010 23:15:07 GMT >> If-None-Match: "dfa53-67-48ccb4133b4c0"-gzip >> >> HTTP/1.x 200 OK >> Date: Sun, 01 Aug 2010 23:16:17 GMT >> Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny2 with >> Suhosin-Patch >> mod_python/3.3.1 Python/2.5.2 mod_perl/2.0.4 Perl/v5.10.0 >> Last-Modified: Sun, 01 Aug 2010 23:15:07 GMT >> Etag: "dfa53-67-48ccb4133b4c0"-gzip >> Accept-Ranges: bytes >> Vary: Accept-Encoding >> Content-Encoding: gzip >> Content-Length: 110 >> Keep-Alive: timeout=15, max=100 >> Connection: Keep-Alive >> Content-Type: text/html >> ---------------------------------------------------------- >> http://www.google.com/#access_token=123 >> >> GET / HTTP/1.1 >> Host: www.google.com >> User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; >> rv:1.9.0.7) Gecko/2009032018 >> Mozilla/3.0.12 (Debian-3.0.12-1) >> Accept: >> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 >> Accept-Language: en-us,en;q=0.5 >> Accept-Encoding: gzip,deflate >> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 >> Keep-Alive: 300 >> Connection: keep-alive >> Referer: http://localhost/red.html >> Cookie: >>PREF=ID=0f1fa5297d3f9d6a:U=f5ef3a217b0cd5bf:TM=1277864220:LM=1278796823:GM=1:S=j8uhrMH9ofdi5YZo; >>; >>NID=37=J2gm7WZsItUM0qhpdyYDiOyE7XuO0tWvSWtOcBpgWZ-Y3Rrb6XJC46TcHkHOqiMUF1ClrcG9JZQ9l0BN8eJUinfWIgsUEw7NuCwphBhwjO1odRifOKngacoHcy83E1wd; >>; >> ; >>SID=DQAAAHcAAADE79x4u_-iBaW7H0MKg1k42z-x8maC4Cm3nUsu68UmsWtkeKZ1cRpG9_YxNhRNeSqGpeRGwyxyMUFtyLBEtfpwt76t_RgE0BTQRig2NqD82bmbcf_CTC0Eu-7HjxNw_n6cW1gkWrUPS46aCzkeIDHAJHDMoVOrrmkVe3lcOGZ1ZQ; >>; >> HSID=ASoUGayYF7At1XErl >> >> >> >> >> >> >> >> ----- Original Message ---- >> From: Marius Scurtescu <mscurte...@google.com> >> To: Bouiaw <bou...@gmail.com> >> Cc: Oleg Gryb <o...@gryb.info>; >> oauth@ietf.org >> Sent: Sun, August 1, 2010 1:03:36 PM >> Subject: Re: [OAUTH-WG] Is User Agent Profile Secure in >> OAuth 2.0? >> >> On Sun, Aug 1, 2010 at 12:22 PM, Bouiaw <bou...@gmail.com> >> wrote: >> > Does the redirect with fragment in URL without sending >> it to the >> > server have been tested with all main browsers ? >> >> AFAIK this is how all major browsers behave. Does anyone >> know >> otherwise? Browsers that don't respect this? >> >> Marius >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> >> >> >> > > > >_______________________________________________ >OAuth mailing list >OAuth@ietf.org >https://www.ietf.org/mailman/listinfo/oauth > >>-----Inline Attachment Follows----- >> >> >>_______________________________________________ >>OAuth mailing list >>OAuth@ietf.org >>https://www.ietf.org/mailman/listinfo/oauth >> > >-----Inline Attachment Follows----- > > >_______________________________________________ >OAuth mailing list >OAuth@ietf.org >https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
