On 24/04/15 13:28, Justin Richer wrote: >> > > It can get as bad as the web, which is pretty bad, but I hope we don't > have to point that out in great detail in every RFC that deals with the > web. :) I think the drive-by-download malware example is a good one, and > we could add another concrete one if you've got an idea, but I think the > advice we have is sound and actionable and we should avoid having this > spec be a catalogue of "bad things what can happen on the web". If there > is such a reference, I'm happy to point to it!
That's fair. I'm not aware of a really good reference tbh. I wonder is there any relevant bits in the OAuth threat analysis? (I've not looked.) Or just a pointer to some well known incident might help. But this is a non-blocking comment, so you should feel entirely free to handle it as you think best. Cheers, S. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
