On 1 Jul 2024, at 14:31, Chaitanya Reddy <nchaitreddyutilit...@gmail.com> wrote:
>
> Hi Neil and Filip,
>
> Thank you so much for the quick revert.
>
> Neil, in the last statement you mentioned "I would say in this case the onus
> falls on the client to validate the state value before blindly copying it
> into the Location header." since the state can contain anything in it. Yes,
> I do agree that the client should be the one validating the state. I already
> informed them of the same.
> But when i found that another client is vulnerable to open redirection due to
> this, I realised that instead of multiple clients validating the state value,
> wouldn't it be better if the Authorization server does this? One fix from
> google and all the vulnerable clients would already be free from this
> vulnerability.
That would be nice, but it would almost certainly be a breaking change from
Google’s point of view. I’m not really sure how Google *could* validate this in
any sensible way.
— Neil
_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-le...@ietf.org
