I think it does warrant mentioning, because the main assumptions about an spa are that everything goes from the browser to the api itself. It might be surprising to a user or even a naive developer that every request goes through another party as a black box. Even if it's all first party abd deployed together, that model should be called out by the draft as an assumption for privacy. After all, this section is for considerations - things you should think about that might not be obvious.
- Justin ________________________________ From: Philippe De Ryck <phili...@pragmaticwebsecurity.com> Sent: Sunday, March 24, 2024 5:40 AM To: Justin Richer <jric...@mit.edu> Cc: oauth <oauth@ietf.org> Subject: Re: [OAUTH-WG] OAuth for Browser-Based Apps Hi Justin, Thank you for your detailed review. > §9+ this draft should add privacy considerations, particularly for BFF > pattern's proxy architecture.e I wanted to ask for a bit more context on this comment. I understand that having a proxy as a separate entity would expose all requests/responses to this entity. However, in the context of a BFF, the frontend and the BFF belong together (i.e., they are one application deployed as two components). The frontend and BFF are deployed and operated by the same party, so I’m not sure if this comment effectively applies. Looking forward to hearing from you. Philippe
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth