Right. It’s worth noting that many endpoints already publish similar metadata via OpenAPI (Swagger) API descriptions.NeilOn 27 Aug 2023, at 19:42, Dick Hardt wrote:For many resources, the information is already disclosed. What is excessive to you might be crucial to others -- and my use case,
For many resources, the information is already disclosed. What is excessive
to you might be crucial to others -- and my use case, the disclosure is
crucial.
Extrapolating your basis for objecting, that another endpoint provides
additional attack surface, we would not do ANY new endpoints or
Yes, but this is true for all flows. Web applications are dangerous.
Applications handling user input are dangerous too.
Le dim. 27 août 2023, 17:46, Tom Jones a
écrit :
> You can write your code as strong as you wish. You cannot determine if the
> code running in the computer is that code
You can write your code as strong as you wish. You cannot determine if the
code running in the computer is that code running unaltered. ..tom
On Sun, Aug 27, 2023 at 5:25 AM Yannick Majoros wrote:
> Thanks for taking the time to respond and for the constructive feedback.
>
> Still, there is
Thanks for taking the time to respond and for the constructive feedback.
Still, there is some initial incorrect point that makes the rest of the
discussion complicated, and partly wrong.
Specifically, §6.4.2.1 says this: *The service worker MUST NOT transmit
tokens, authorization codes or PKCE
Hi Dick,
My previous emails do not even obliquely refer to security by obscurity. It
is about design patterns and excessive information disclosure.
Regards
Jaimandeep Singh
On Sat, 26 Aug, 2023, 8:27 pm Dick Hardt, wrote:
> Jaimandeep: Do I understand your objection to adoption is that
