Good eye! Seeing this now, I agree, but I admit I never fully
understood what "embedded uses-agents" were before.
Igor
On 9/6/2011 11:52 PM, Manger, James H wrote:
A strange aspects of this thread is that the current draft already talks about
exactly this issue:
draft-ietf-oauth-v2-21 section 9 "Native Applications"
"...Native applications can invoke an external user-agent or
embed a user-agent within the application
...
Embedded user-agents pose a security challenge because resource
owners are authenticating in an unidentified window without access
to the visual protections found in most external user-agents.
Embedded user-agents educate end-user to trust unidentified
requests for authentication (making phishing attacks easier to
execute)."
The webView that Michael Thomas talks about is an "embedded user-agent".
--
James Manger
----------
From: [email protected] [mailto:[email protected]] On Behalf Of
Michael Thomas
...
At this point, it would be just nice for the industry to know that the issue
even *exists*.
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
