> > - give out authorization codes via the user-agent flow. We've > implemented a variation of this based on HTML5 and window.postMessage. > Caveat: This will run you off-spec.
> - use a fixed callback URL for the user-agent flow. Make sure that > fixed callback URL does not run random bits of script. Then have that > fixed callback URL use javascript to convey the token to other pages > on the same origin. > > It's a bad idea to use the user-agent flow without a specific > whitelist of callback URLs which can receive the token. Brian's nailed it here. The best way to use this flow is to control the landing page as much as possible. -- Justin _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
