Can you write this as an actual proposal for the text?
EHL
On 4/1/10 8:25 PM, "Brent Goldman" <br...@facebook.com> wrote:
> +1 on both
>
> Regarding clickjacking: If we don't want the flows to be inlined in an iframe,
> specifying that the clients must show the server in a popup doesn't protect
> against malicious clients that choose to show it in an iframe anyway. So I
> think it also make sense to add to the core spec that servers should protect
> against this. The JavaScript is simple enough that perhaps the spec could give
> an example snippet that any OAuth server to use. E.g., if (top != self &&
> !isTopWindowSafe(top)) {
> showBigassTransparentDivWithHighZIndex_or_redirectToErrorPage(); }.
>
> -Brent
>
>
> On Apr 1, 2010, at 5:48 PM, Allen Tom wrote:
>
>> Websites using OpenID/OAuth/Facebook Connect/Twitter Connect often open a
>> popup window to the user¹s Identity Provider for user to complete the
>> AuthZ/AuthN flow rather than taking the user away from the referring site via
>> a full page redirect.
>>
>> In the case where a popup window is used, it¹s a very good idea to require
>> that that the browser¹s address bar is displayed, and that an independent
>> browser window is used, rather than an inline iframe. These requirements are
>> needed to help prevent the user from being phished in the case where the user
>> has to enter their password, and to ensure that the user¹s consent was not
>> forged via a clickjacking attack.
>>
>> I believe that the Web Server Flow and the Web Client Flow will often take
>> place within a popup window, so it would make sense to put into the core spec
>> that popups should be independent browser windows with the address bar
>> clearly displayed.
>>
>> Another missing feature in the core spec is support for multiple languages.
>> Given that many Service Providers have a global userbase, client applications
>> will want to have a way to specify the language to be used on the auth
>> screen. While the User Agent¹s Accept-Language: HTTP header, as well as the
>> user¹s IP address could be used as language hints, in practice clients will
>> want the ability to specify the language.
>>
>> Is there consensus to get Popup Window requirements and language support into
>> the OAuth2 core spec?
>>
>> Allen
>> <ATT00001..txt>
>
>
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
