Thanks for the info,
As I read it, this is an attack on Java Script callbacks.
The information tying it to OAuth is not clear.
Is the issue relating to JS people using the implicit flow and the JS loaded
from the client somehow being vulnerable?
Or is this happening in the JS after authorizat
hi *, just sharing.
Not directly related to OAuth per se but it exploits several OAuth client
endpoints due to some common developers pattern
http://www.benhayak.com/2015/06/same-origin-method-execution-some.html
(concrete example in
http://www.benhayak.com/2015/05/stealing-private-photo-album
Hi,
I'm probably missing something here, but what is the use case for allowing
the plain transform method in PKCE? It seems to me the entire point of
sending the hash of the code_verifier (code_challenge) rather than the
code_verifier itself is to avoid leaking the code_verifier through
the brows
