Hello, Regarding "OAuth 2.0 for Browser-Based Apps" section 6 ( https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps-09#section-6 ), I do have some questions and concerns. Can I get in touch with someone about this?
My main questions are: - There is a lot of debate around the question. Are these really security best practices? - Did you consider using a service worker or other frontend solutions (web worker, closure...) for safe token storage? That would make a pure frontend solution at least as safe as cookies. - Why would a cookie be safer, as this opens CSRF attacks that would make the same actions available to a hacker that would be possible by getting hold of a token (which might even be more difficult)? - What if the backend is stateless and so doesn't have any session (which defeats 6.1 & 6.2 and leaves no option according to current draf)? Best regards. Yannick Majoros Valuya sprl
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
