Francisco, you made a good point. However, the question is if this belongs into the OAuth scope since this a general attack on a web app's session management.
I will incorporate the threat you described and the advice to use TLS into the OAuth security document. regards, Torsten. Gesendet mit BlackBerry® Webmail von Telekom Deutschland -----Original Message----- From: Francisco Corella <[email protected]> Sender: [email protected] Date: Mon, 3 Jan 2011 22:11:05 To: <[email protected]> Reply-To: [email protected] Cc: Karen P. Lewison<[email protected]> Subject: [OAUTH-WG] TLS is needed for redirecting back to the client _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
