Thanks for your review, Marc, we've published a new version addressing your feedback.
https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-23.html You can also see the more detailed commits and discussion on GitHub: https://github.com/oauth-wg/oauth-browser-based-apps/issues/72 Responses inline: On Mon, Feb 3, 2025 at 8:00 AM Marc Blanchet via Datatracker < nore...@ietf.org> wrote: > Reviewer: Marc Blanchet > Review result: Ready with Nits > > I've reviewed this document as an assigned ART reviewer. I'm not an expert > in > Oauth. I haven't seen any issue from the perspective of ART or i18n. I > found > this document comprehensive and detailed and useful for application > architects > and developers. > > I have the following comments. > > Substantive: > - On my reading, it seems that the only foundation threat here is the > ability > for the attacker to inject malicious code. Okay. If this is the case, I > think > this should be pointed out clearly at the beginning of the document. That is correct, this is now better explained in the intro to the threats in Section 5. > - On my > reading, I see that this document discusses two topics: security issues and > best practices for browser based apps that are using any kind of > authentication > mechanism and specific ones when using Oauth. I'm wondering if a) we > already > have any document that already describes the generic issues, in which > case, we > should refer or update; b) if we don't have, given that a lot of this > document > is valuable for issues not specifically related to Oauth, that we could > split > the document in two: one for non-Oauth issues and then having the second > one > strictly on Oauth specific issues. That way, the first one can be > referenced by > non-Oauth work. Having said that, that suggestion may have been discussed > already in the working group or may not make sense for reasons I don't > know. > Please discard if it does not make sense. > This has been clarified in Section 5, the intent is to discuss things specifically in relation to OAuth, not general browser security recommendations. > > Editorial: > - Section 4. expand PKCE on first use and add reference. That expansion is > done > later in document in section 6.3.2.1, so then remove that expansion there. > - > DPoP similarly > References have been added throughout.
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
