Thanks for sharing your slides. Although this is an interesting theoretical attack, I do not think it is much of a concern in practice. If we take your attack vectors from slide 12:
* Referer header leaks: the default policy in browsers since 2019 is strict-origin-when-cross-origin, which prevents this leak [1]. * URL sharing and analytics tools are already addressed by [2] in the original OAuth RFC 6749, which already says to avoid 3rd party analytics on the redirect endpoint and to redirect immediately after collecting the credentials. I think most providers do in fact do this? That leaves leakage via logs, which IMO is adequately addressed by (a) use of TLS (minimising on-path observers) and (b) using short-lived auth codes. Using fragments or form_post both have significant downsides. Fragments only work with Javascript, which introduces new failure cases and attack surface (ideally the redirect endpoint would be served with CSP script-src=none). Form post requires use of samesite=none cookies, weakening CSRF protections. I don’t think we should be recommending weakening protections against very real threats (XSS, CSRF) to protect against something that seems unlikely. We can perhaps improve the wording around existing countermeasures if there is evidence they are being ignored, but I think that is enough. I could be persuaded otherwise, but I’d need to see more evidence that this is a problem in practice and that the countermeasures do more good than harm. [1]: https://github.com/whatwg/fetch/pull/952 [2]: https://datatracker.ietf.org/doc/html/rfc6749#section-3.1.2.5 Best wishes, Neil > On 4 Nov 2025, at 04:10, Primbs, Jonas <[email protected]> wrote: > > Hi all, > > according to Aaron’s recommendation, I have created a PR for OAuth 2.1: > https://github.com/oauth-wg/oauth-v2-1/pull/230 > > It references OpenID Connect’s response modes (fragment and form_post) as > solutions for Browser-Swapping attacks, which I have presented in today’s > OAuth WG meeting. > If you have missed my presentation, but are still interested, here are my > slides: > https://datatracker.ietf.org/meeting/124/materials/slides-124-oauth-sessa-browser-swapping-01 > > I’m interested in your feedback on this first draft, which currently covers > only recommendation #2 from my slides, because this is probably the least > controversial change. > If you are attending onsite, also feel free to speak to me in the hallway. My > company gave me enough of the „No, PKCE…“ t-shirts for the rest of the week, > so that it’s easier for you to find me. @Brian & Mike: I have learned from > the best ;-) > > Greetings, > Jonas > > > Jonas Primbs M.Sc. > University of Tübingen > Faculty of Science > Department of Computer Science > Sand 13, 72076 Tübingen, Germany > Tel.: (+49) 7071 / 29-70512 > Mail: [email protected] > Web: https://kn.inf.uni-tuebingen.de > > _______________________________________________ > OAuth mailing list -- [email protected] > To unsubscribe send an email to [email protected]
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
