[OAUTH-WG] (no subject)

Hi ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization code instead of implicit

Hi Vittorio, > did all the vendors on the list work on proof of concepts to ensure that the practices recommended here can work with your product, end to end? I’m not currently working on SPA apps nor apps using implicit flow. However, my previous client is using hybrid flow to fetch access t

Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization code instead of implicit

> On Dec 7, 2018, at 5:50 AM, Jim Manico wrote: > I still encourage developers who are not XSS guru’s to stick to cookie based > sessions or stateless artifacts to talk to the back end and keep OAuth tokens > only flying intra-server. It’s an unpopular opinion, but even moderately good > XSS

Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization code instead of implicit

I wanted to address Vittorio’s comment on XSS and LocalStorage. One XSS attack can extract all of LocalStorage in one line of code. It’s trivial. And after studying XSS for years, I believe that most developers are not capable of building good XSS defense into complex UI’s and the trends to use