On Fri, Jul 8, 2011 at 11:39 AM, Eran Hammer-Lahav <[email protected]> wrote:
> How exactly? They are not confidential by nature, being received via 
> redirection in the URI query. I know what this sentence is trying to 
> accomplish but not sure how to do that with normative language. SHOULD 
> doesn't really work here either.

The browser same origin policy does apply to URI queries.  They MUST
be kept confidential, i.e. only sent to authorized entities.  That
covers:

- the client web site
- the browser
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to