Thank you Travis for your feedback! Am 20.03.18 um 12:48 schrieb Travis Spencer: > I read through this doc and would like to share a bit of feedback in > hopes that it helps: > > * There is no mention of Content Security Policy (CSP). This is a very > helpful security mechanism that all OAuth servers and web-based > clients should implement. I think this needs to be addressed in this > doc. > - No mention of frame breaking scripts for non-CSP aware user agents > - No mention of X-Frame-Options > * There's no mention of HSTS which all OAuth servers and web-based > client should implement (or the reverse proxies in front of them > should)
If I see this correctly, all of these mechanisms fall in the category of "do web security right" that Jim mentioned, i.e., there are no concrete, OAuth-specific attacks that would be prevented by these. If so, I think we should not mention them in the document. > * The examples only use 302 and don't mention that 303 is safer[1] > - Despite what it says in section 1.7 of RFC 6749, many people > think that a 302 is mandated by OAuth. It would be good to recommend a > 303 and use examples with other status codes. Yes, we should address that. > [1] https://arxiv.org/pdf/1601.01229v2.pdf (That link, by the way, points to an old version of our paper. There is an updated version with more attacks and a better presentation: https://arxiv.org/pdf/1601.01229.pdf) Thanks again for your feedback! -Daniel -- SEC - Institute of Information Security University of Stuttgart Phone +49 711 685 88468 Universitätsstraße 38 - 70569 Stuttgart - Room 2.434
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
