On Tue, Aug 10, 2010 at 11:00 AM, Oleg Gryb <[email protected]> wrote: > The thing is that each time when a web app with sensitive info can be run in > a frame, security people would advice to break that > frame-reads-other-frame-data logic, because it can lead to violation of same > origin policy.
This is incorrect. The security of this flow is based entirely on the same-origin policy. Same-origin provides the basic authentication of the destination of the access tokens. Note that both the web-server and the user-agent flows are entirely about passing information to third-party web sites, so suggesting that these flows should not pass information across domains is not really helpful. =) > Yes, but you'll need a web server client for that. I'm saying that UA profile > can > be POST based too. (a) The POST would bust the browser cache. (b) Javascript can't read POST bodies. (At least not to my knowledge. If you know of client-side code that can do this, I'm interested.) If we were willing to accept the performance penalty of busting the browser-cache, we would use the web-server flow. _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
