Here is an example with Location header. I don't see URI with access token been truncated. See Location header generated by JSP and actual redirect that browser followed below.
red.jsp (Running on local Tomcat): <% String url = "http://www.google.com#access_token=123";; response.sendRedirect(url); %> Live HTTP headers trace for Iceweasel Browser: http://localhost:8080/red.jsp GET /red.jsp HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.7) Gecko/2009032018 Mozilla/3.0.12 (Debian-3.0.12-1) Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive HTTP/1.x 302 Moved Temporarily Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=236DAD3EA6288BDC6A780CFFFB9F83E2; Path=/ Location: http://www.google.com#access_token=123 Content-Type: text/html;charset=ISO-8859-1 Content-Length: 0 Date: Mon, 02 Aug 2010 00:18:01 GMT ---------------------------------------------------------- http://www.google.com/#access_token=123 GET / HTTP/1.1 Host: www.google.com --- On Sun, 8/1/10, Oleg Gryb <oleg_g...@yahoo.com> wrote: > From: Oleg Gryb <oleg_g...@yahoo.com> > Subject: Re: [OAUTH-WG] Is User Agent Profile Secure in OAuth 2.0? > To: "Marius Scurtescu" <mscurte...@google.com>, "Bouiaw" <bou...@gmail.com> > Cc: oauth@ietf.org > Date: Sunday, August 1, 2010, 7:18 PM > I'll need to check if it's true for > dynamic redirects that use Location header, > but right now I can provide an example where JavaScripts > are used for redirects > in which case access token is send in a URL. > > Let us assume that you've implemented an endpoint on your > authz server as a JSP > that populates access token dynamically: > > <html> > <body onload="window.location.href = > 'http://www.google.com#access_token=<%=var_with_token%>'"> > </body> > </html> > > After JSP container expanded the variable, the response > that browser will see > looks as follows: > > > <html> > <body onload="window.location.href = > 'http://www.google.com#access_token=123'"> > </body> > </html> > > To test the page above, I put it to my local Apache web > server and then accessed > it using Iceweasel browser. I've used HTTP Live Headers to > see all redirects. > The trace is below. Please let me know what I'm missing. > The last GET has access > token in it. > > http://localhost/red.html > > GET /red.html HTTP/1.1 > Host: localhost > User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; > rv:1.9.0.7) Gecko/2009032018 > Mozilla/3.0.12 (Debian-3.0.12-1) > Accept: > text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > Accept-Language: en-us,en;q=0.5 > Accept-Encoding: gzip,deflate > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 > Keep-Alive: 300 > Connection: keep-alive > If-Modified-Since: Sun, 01 Aug 2010 23:15:07 GMT > If-None-Match: "dfa53-67-48ccb4133b4c0"-gzip > > HTTP/1.x 200 OK > Date: Sun, 01 Aug 2010 23:16:17 GMT > Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny2 with > Suhosin-Patch > mod_python/3.3.1 Python/2.5.2 mod_perl/2.0.4 Perl/v5.10.0 > Last-Modified: Sun, 01 Aug 2010 23:15:07 GMT > Etag: "dfa53-67-48ccb4133b4c0"-gzip > Accept-Ranges: bytes > Vary: Accept-Encoding > Content-Encoding: gzip > Content-Length: 110 > Keep-Alive: timeout=15, max=100 > Connection: Keep-Alive > Content-Type: text/html > ---------------------------------------------------------- > http://www.google.com/#access_token=123 > > GET / HTTP/1.1 > Host: www.google.com > User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; > rv:1.9.0.7) Gecko/2009032018 > Mozilla/3.0.12 (Debian-3.0.12-1) > Accept: > text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > Accept-Language: en-us,en;q=0.5 > Accept-Encoding: gzip,deflate > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 > Keep-Alive: 300 > Connection: keep-alive > Referer: http://localhost/red.html > Cookie: > PREF=ID=0f1fa5297d3f9d6a:U=f5ef3a217b0cd5bf:TM=1277864220:LM=1278796823:GM=1:S=j8uhrMH9ofdi5YZo; > NID=37=J2gm7WZsItUM0qhpdyYDiOyE7XuO0tWvSWtOcBpgWZ-Y3Rrb6XJC46TcHkHOqiMUF1ClrcG9JZQ9l0BN8eJUinfWIgsUEw7NuCwphBhwjO1odRifOKngacoHcy83E1wd; > ; > SID=DQAAAHcAAADE79x4u_-iBaW7H0MKg1k42z-x8maC4Cm3nUsu68UmsWtkeKZ1cRpG9_YxNhRNeSqGpeRGwyxyMUFtyLBEtfpwt76t_RgE0BTQRig2NqD82bmbcf_CTC0Eu-7HjxNw_n6cW1gkWrUPS46aCzkeIDHAJHDMoVOrrmkVe3lcOGZ1ZQ; > HSID=ASoUGayYF7At1XErl > > > > > > > > ----- Original Message ---- > From: Marius Scurtescu <mscurte...@google.com> > To: Bouiaw <bou...@gmail.com> > Cc: Oleg Gryb <o...@gryb.info>; > oauth@ietf.org > Sent: Sun, August 1, 2010 1:03:36 PM > Subject: Re: [OAUTH-WG] Is User Agent Profile Secure in > OAuth 2.0? > > On Sun, Aug 1, 2010 at 12:22 PM, Bouiaw <bou...@gmail.com> > wrote: > > Does the redirect with fragment in URL without sending > it to the > > server have been tested with all main browsers ? > > AFAIK this is how all major browsers behave. Does anyone > know > otherwise? Browsers that don't respect this? > > Marius > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
