> On Dec 7, 2018, at 5:50 AM, Jim Manico <[email protected]> wrote:
<snip> > I still encourage developers who are not XSS guru’s to stick to cookie based > sessions or stateless artifacts to talk to the back end and keep OAuth tokens > only flying intra-server. It’s an unpopular opinion, but even moderately good > XSS defense is equally unpopular Is this a matter of saying they should have an API for these clients which exposes less of the risky activities? That cookies provide a defense against XSS exfiltration? And/or other? -DW _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
