Can this be reworked to discuss the authorization endpoint specifically? The use of 'target' site is confusing. This section needs to be much more specific to the authorization process.
EHL > -----Original Message----- > From: Mark Mcgloin [mailto:mark.mcgl...@ie.ibm.com] > Sent: Wednesday, July 06, 2011 8:56 AM > To: Eran Hammer-Lahav > Cc: oauth@ietf.org; Torsten Lodderstedt > Subject: Re: [OAUTH-WG] Draft 16 Security Considerations additions > > > > Clickjacking > Clickjacking is the process of tricking users into revealing confidential > information or taking control of their computer while clicking on seemingly > innocuous web pages. In more detail, a malicious site loads the target site > in a > transparent iframe overlaid on top of a set of dummy buttons which are > carefully constructed to be placed directly under important buttons on the > target site. When a user clicks a visible button, they are actually clicking a > button (such as an "Authorize" button) on the hidden page. > To prevent clickjacking (and phishing attacks), native applications SHOULD > use external browsers instead of embedding browsers in an iFrame when > requesting end-user authorization. For newer browsers, avoidance of > iFrames can be enforced server side by using the X-FRAME-OPTION header. > This header can have two values, deny and sameorigin, which will block any > framing or framing by sites with a different origin, respectively. For older > browsers, javascript framebusting techniques can be used but may not be > effective in all browsers. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
