Can't LocalStorage etc be stolen with XSS too? If an attacker gets their JS running on the page then the game is up.
Ian On Mon, Jul 11, 2011 at 7:06 PM, Larry Suto <[email protected]> wrote: > Cookies can be stolen by directed XSS attacks. > > Larry > > On Mon, Jul 11, 2011 at 3:46 PM, Eran Hammer-Lahav <[email protected]> > wrote: >> >> Any cookie? What about a Secure cookie limited to a specific sub-domain? >> What are the concerns about cookies? I think this would be helpful to >> discuss. >> >> EHL >> >> > -----Original Message----- >> > From: [email protected] [mailto:[email protected]] On Behalf >> > Of Marius Scurtescu >> > Sent: Monday, July 11, 2011 3:15 PM >> > To: Doug Tangren >> > Cc: [email protected] >> > Subject: Re: [OAUTH-WG] best practices for storing access token for >> > implicit >> > clients >> > >> > On Thu, Jun 30, 2011 at 12:45 PM, Doug Tangren <[email protected]> >> > wrote: >> > > What is the current recommended practice of storing an implicit >> > > client's access_tokens? LocalStorage, im mem and re-request auth on >> > > every browser refresh? >> > >> > Both sound reasonable. I think most important is how NOT to store it, in >> > a >> > cookie. >> > >> > Marius >> > _______________________________________________ >> > OAuth mailing list >> > [email protected] >> > https://www.ietf.org/mailman/listinfo/oauth >> _______________________________________________ >> OAuth mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > > -- Ian McKellar <http://ian.mckellar.org/> [email protected]: email | jabber | msn ianloic: flickr | aim | yahoo | skype | linkedin | etc. _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
