Can you provide this in a form suitable for pasting into the current text? Browser same origin policy is enforced by the user-agent, and is beyond the scope of this protocol.
EHL > -----Original Message----- > From: Brian Eaton [mailto:bea...@google.com] > Sent: Friday, July 08, 2011 11:52 AM > To: Eran Hammer-Lahav > Cc: OAuth WG > Subject: Re: [OAUTH-WG] Authorization code security considerations > > On Fri, Jul 8, 2011 at 11:39 AM, Eran Hammer-Lahav <e...@hueniverse.com> > wrote: > > How exactly? They are not confidential by nature, being received via > redirection in the URI query. I know what this sentence is trying to > accomplish but not sure how to do that with normative language. SHOULD > doesn't really work here either. > > The browser same origin policy does apply to URI queries. They MUST be > kept confidential, i.e. only sent to authorized entities. That > covers: > > - the client web site > - the browser _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
