<div dir="ltr">Another transport mode (in addition to posmessage) that is available in immediate mode is CORS.<div><br></div><div>Agree with the proposed clarification of disallowing query encoding.</div></div><div class="gmail_extra">
<br><br><div class="gmail_quote">On Mon, Oct 14, 2013 at 5:42 PM, Michael Jones <span dir="ltr"><<a href="mailto:issues-reply@bitbucket.org" target="_blank">issues-reply@bitbucket.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
New issue 887: Multiple Response Types - Content that SHOULD be fragment encoded MUST NOT be query encoded<br>
<a href="https://bitbucket.org/openid/connect/issue/887/multiple-response-types-content-that" target="_blank">https://bitbucket.org/openid/connect/issue/887/multiple-response-types-content-that</a><br>
<br>
Michael Jones:<br>
<br>
We talked about this on the call today. I asked why responses are described as “SHOULD be fragment encoded”, rather than “MUST be fragment encoded” in the OAuth Multiple Response Types document. John said that the SHOULDs are to leave the door open for using PostMessage - not to allow query encoding.<br>
<br>
He pointed out that the HTTP Referer header includes query parameters, and so any query parameter encoded content will leak to third parties. This is a huge security hole that is prevented by the fragment encoding.<br>
<br>
The only OAuth value that can be safely query encoded is "code", and then when using a confidential client. That's OK because the Code is not useful to a third party that doesn't have the Client Secret.<br>
<br>
The working group decided to clarify the specs to explicitly prohibit (MUST NOT) query encoding any parameters other than Code.<br>
<br>
Responsible: mbj<br>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br>--Breno<br>
</div>