> On Dec 7, 2018, at 5:50 AM, Jim Manico <j...@manicode.com> wrote:
<snip> > I still encourage developers who are not XSS guru’s to stick to cookie based > sessions or stateless artifacts to talk to the back end and keep OAuth tokens > only flying intra-server. It’s an unpopular opinion, but even moderately good > XSS defense is equally unpopular Is this a matter of saying they should have an API for these clients which exposes less of the risky activities? That cookies provide a defense against XSS exfiltration? And/or other? -DW _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
