Can't LocalStorage etc be stolen with XSS too? If an attacker gets their JS running on the page then the game is up.
Ian On Mon, Jul 11, 2011 at 7:06 PM, Larry Suto <larry.s...@gmail.com> wrote: > Cookies can be stolen by directed XSS attacks. > > Larry > > On Mon, Jul 11, 2011 at 3:46 PM, Eran Hammer-Lahav <e...@hueniverse.com> > wrote: >> >> Any cookie? What about a Secure cookie limited to a specific sub-domain? >> What are the concerns about cookies? I think this would be helpful to >> discuss. >> >> EHL >> >> > -----Original Message----- >> > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf >> > Of Marius Scurtescu >> > Sent: Monday, July 11, 2011 3:15 PM >> > To: Doug Tangren >> > Cc: oauth@ietf.org >> > Subject: Re: [OAUTH-WG] best practices for storing access token for >> > implicit >> > clients >> > >> > On Thu, Jun 30, 2011 at 12:45 PM, Doug Tangren <d.tang...@gmail.com> >> > wrote: >> > > What is the current recommended practice of storing an implicit >> > > client's access_tokens? LocalStorage, im mem and re-request auth on >> > > every browser refresh? >> > >> > Both sound reasonable. I think most important is how NOT to store it, in >> > a >> > cookie. >> > >> > Marius >> > _______________________________________________ >> > OAuth mailing list >> > OAuth@ietf.org >> > https://www.ietf.org/mailman/listinfo/oauth >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > -- Ian McKellar <http://ian.mckellar.org/> i...@mckellar.org: email | jabber | msn ianloic: flickr | aim | yahoo | skype | linkedin | etc. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
