Am 20.11.18 um 13:24 schrieb Neil Madden: > If we are discussing this in the context of client-side web apps/SPAs, then > surely the threat model includes malicious 3rd party scripts - for which > neither token binding nor mTLS constrained tokens are very effective as those > scripts run in the same TLS context as the legitimate client?
Please correct me if I'm wrong, but if a page/SPA/origin includes a malicious third party script, the third party script can access all data of that JavaScript. It can exfiltrate tokens and/or send requests on behalf of that page/SPA/origin (using the page/SPA/origin's TLS context, cookies, etc.). So I doubt that there is any better solution than token binding or mTLS. If we assume that an SPA includes a malicious third party script, it is completely compromised. -Daniel
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
