My guess about no cookies was in the design of implicit client token passing, the access token is never shared with the server, only the browser via the redirect_uri's fragment. Once the browser has the token, my question was about how (or even if) people are storing access tokens between page refreshes. LocalStorage seemed to fit right but I wasn't sure what holes that may open up since other scripts may have access to the same local storage as the page that intercepts the access token.
-Doug Tangren http://lessis.me On Mon, Jul 11, 2011 at 7:08 PM, Ian McKellar <[email protected]> wrote: > Can't LocalStorage etc be stolen with XSS too? If an attacker gets > their JS running on the page then the game is up. > > Ian > > On Mon, Jul 11, 2011 at 7:06 PM, Larry Suto <[email protected]> wrote: > > Cookies can be stolen by directed XSS attacks. > > > > Larry > > > > On Mon, Jul 11, 2011 at 3:46 PM, Eran Hammer-Lahav <[email protected]> > > wrote: > >> > >> Any cookie? What about a Secure cookie limited to a specific sub-domain? > >> What are the concerns about cookies? I think this would be helpful to > >> discuss. > >> > >> EHL > >> > >> > -----Original Message----- > >> > From: [email protected] [mailto:[email protected]] On > Behalf > >> > Of Marius Scurtescu > >> > Sent: Monday, July 11, 2011 3:15 PM > >> > To: Doug Tangren > >> > Cc: [email protected] > >> > Subject: Re: [OAUTH-WG] best practices for storing access token for > >> > implicit > >> > clients > >> > > >> > On Thu, Jun 30, 2011 at 12:45 PM, Doug Tangren <[email protected]> > >> > wrote: > >> > > What is the current recommended practice of storing an implicit > >> > > client's access_tokens? LocalStorage, im mem and re-request auth on > >> > > every browser refresh? > >> > > >> > Both sound reasonable. I think most important is how NOT to store it, > in > >> > a > >> > cookie. > >> > > >> > Marius > >> > _______________________________________________ > >> > OAuth mailing list > >> > [email protected] > >> > https://www.ietf.org/mailman/listinfo/oauth > >> _______________________________________________ > >> OAuth mailing list > >> [email protected] > >> https://www.ietf.org/mailman/listinfo/oauth > > > > > > _______________________________________________ > > OAuth mailing list > > [email protected] > > https://www.ietf.org/mailman/listinfo/oauth > > > > > > > > -- > Ian McKellar <http://ian.mckellar.org/> > [email protected]: email | jabber | msn > ianloic: flickr | aim | yahoo | skype | linkedin | etc. > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
