+1
However, we should be careful how we prohibit it... because if the state
value is actually signed, having the URL there isn't a problem as the
attacker can not manipulate the value without breaking the signature.
On 4/20/20 5:28 PM, Mike Jones wrote:
I've seen several circumstances where "clever" clients implement an open
redirector by encoding a URL to redirect to in the state parameter value. Attackers can
then utilize this open redirector by choosing a state value.
Can we please add an explicit prohibition of this practice in
draft-ietf-oauth-security-topics?
Thanks,
-- Mike
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
