https://bugzilla.wikimedia.org/show_bug.cgi?id=69232

Mukunda Modell <mmod...@wikimedia.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Priority|Unprioritized               |Normal
                 CC|                            |mmod...@wikimedia.org

--- Comment #3 from Mukunda Modell <mmod...@wikimedia.org> ---
(In reply to Chris Steipp from comment #2)

> I forgot to comment on this one, but I'm solidly maybe on this. Silent
> redirects make me a little nervous since they've been used, along with other
> vulnerabilities, to silently exploit the other vulnerability. Requiring a
> user click makes another vulnerability much harder to exploit.. but I can
> definitely see the use in several scenarios.

The use of this in conjunction with other vulnerabilities doesn't make it
inherently dangerous. When oauth is only being used for login to a connected
application I don't see where the danger lies.  When the oauth authorization
includes some elevated privileges then I can see the worry, however, couldn't
the authenticate endpoint provide a session without any access beyond the
granting of a login?

The reason I ask is because we are using oauth for phabricator login and it's
really not at all convenient or user friendly to ask for authorization each
time.

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

Reply via email to