Mukunda Modell <> changed:

           What    |Removed                     |Added
           Priority|Unprioritized               |Normal
                 CC|                            |

--- Comment #3 from Mukunda Modell <> ---
(In reply to Chris Steipp from comment #2)

> I forgot to comment on this one, but I'm solidly maybe on this. Silent
> redirects make me a little nervous since they've been used, along with other
> vulnerabilities, to silently exploit the other vulnerability. Requiring a
> user click makes another vulnerability much harder to exploit.. but I can
> definitely see the use in several scenarios.

The use of this in conjunction with other vulnerabilities doesn't make it
inherently dangerous. When oauth is only being used for login to a connected
application I don't see where the danger lies.  When the oauth authorization
includes some elevated privileges then I can see the worry, however, couldn't
the authenticate endpoint provide a session without any access beyond the
granting of a login?

The reason I ask is because we are using oauth for phabricator login and it's
really not at all convenient or user friendly to ask for authorization each

You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
Wikibugs-l mailing list

Reply via email to