Hi John,
Am 24.04.2016 um 22:58 schrieb John Bradley:
I did talk about using “jti" for state replay protection in
https://tools.ietf.org/html/draft-bradley-oauth-jwt-encoded-state-05
Not that any developer looks at that ID, but I should probably expand
the advice for replay protection for sta
Yes that policy will be in new browsers but that will not be all browsers for
some time (probably not until XP dies)
We are going to have the old browser issue with Token binding as well.
At some point AS may need to restrict what older browsers can do as they will
have different security prof
Inline
> On Apr 25, 2016, at 6:01 AM, Daniel Fett wrote:
>
> Am 24.04.2016 um 22:31 schrieb John Bradley:
>> I described a similar attack at the meeting in Darmstadt. Using stolen
>> state to inject code from a different session.
>>
>> We were calling that the cut and paste attack. The propo
Am 25.04.2016 um 15:11 schrieb Antonio Sanso:
>>> Checking referrer is a weak protection at best, as that is easily faked in
>>> many circumstances.
>>
>> Note that we do not propose checking the referrer as a mitigation; we
>> propose using the referrer policy (at the client) to suppress the
>> r
hi
On Apr 25, 2016, at 3:01 PM, Daniel Fett wrote:
> Am 24.04.2016 um 22:31 schrieb John Bradley:
>> I described a similar attack at the meeting in Darmstadt. Using stolen
>> state to inject code from a different session.
>>
>> We were calling that the cut and paste attack. The proposed mit
Am 24.04.2016 um 22:31 schrieb John Bradley:
> I described a similar attack at the meeting in Darmstadt. Using stolen state
> to inject code from a different session.
>
> We were calling that the cut and paste attack. The proposed mitigation is
> ing the draft that Mike and I did.
>
> This w
