I like it. I hadn't considered the Referer header as being the leak. Stupid
secrets in query parameters. It'd be nice if we could do this...
* once the authorization server acks the RP's message, the RP redirects
the user's browser to the authorization server, passing only the
"state=" value in the queryargs
* the authorization server pulls state= from the URL to figure out which
app wants what power.
It seems like there'd be less errors if they sent `client_id=foo&state=123`.
Only because then it doesn't require state to be globally unique, just unique
to that client. Sure, if they did something like `state =
crypto.randomBytes(16).toString('hex')`, it'd probably never clash, but still.
We can't really stop some from doing a `state = rand(1,100)`..._______________________________________________
Dev-fxacct mailing list
[email protected]
https://mail.mozilla.org/listinfo/dev-fxacct
