Re: [OAUTH-WG] Redirects
"Manger, James H" <James.H.Manger@team.telstra.com> Fri, 07 May 2010 06:28 UTC
Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E09DC3A6A89 for <oauth@core3.amsl.com>; Thu, 6 May 2010 23:28:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.321
X-Spam-Level: *
X-Spam-Status: No, score=1.321 tagged_above=-999 required=5 tests=[AWL=-0.379, BAYES_50=0.001, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, HTML_MESSAGE=0.001, RELAY_IS_203=0.994]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XNRg5vE4U5Mf for <oauth@core3.amsl.com>; Thu, 6 May 2010 23:28:25 -0700 (PDT)
Received: from ipxcvo.tcif.telstra.com.au (ipxcvo.tcif.telstra.com.au [203.35.135.208]) by core3.amsl.com (Postfix) with ESMTP id 0A71B3A6883 for <oauth@ietf.org>; Thu, 6 May 2010 23:28:23 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.52,346,1270389600"; d="scan'208,217";a="2528110"
Received: from unknown (HELO ipcbvi.tcif.telstra.com.au) ([10.97.217.204]) by ipocvi.tcif.telstra.com.au with ESMTP; 07 May 2010 16:28:10 +1000
X-IronPort-AV: E=McAfee;i="5400,1158,5974"; a="1634467"
Received: from wsmsg3753.srv.dir.telstra.com ([172.49.40.174]) by ipcbvi.tcif.telstra.com.au with ESMTP; 07 May 2010 16:28:11 +1000
Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by WSMSG3753.srv.dir.telstra.com ([172.49.40.174]) with mapi; Fri, 7 May 2010 16:28:10 +1000
From: "Manger, James H" <James.H.Manger@team.telstra.com>
To: David Recordon <recordond@gmail.com>
Date: Fri, 07 May 2010 16:28:08 +1000
Thread-Topic: [OAUTH-WG] Redirects
Thread-Index: AcrtrKmE5Sbt98WxT7+eYBf4kRokkAAABn6A
Message-ID: <255B9BB34FB7D647A506DC292726F6E112631B273F@WSMSG3153V.srv.dir.telstra.com>
References: <255B9BB34FB7D647A506DC292726F6E11263073D6D@WSMSG3153V.srv.dir.telstra.com> <q2hfd6741651005062105y46152452x370fac0dd12d55c6@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E112631B257D@WSMSG3153V.srv.dir.telstra.com> <v2nfd6741651005062235g211564dfr6aaf6a72bf4dfaa@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E112631B26C0@WSMSG3153V.srv.dir.telstra.com> <v2qfd6741651005062315rfc3bcde1mee4c22a40de852fe@mail.gmail.com>
In-Reply-To: <v2qfd6741651005062315rfc3bcde1mee4c22a40de852fe@mail.gmail.com>
Accept-Language: en-US, en-AU
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-AU
Content-Type: multipart/alternative; boundary="_000_255B9BB34FB7D647A506DC292726F6E112631B273FWSMSG3153Vsrv_"
MIME-Version: 1.0
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Redirects
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 May 2010 06:28:27 -0000
> Don't you have larger problems if your protected resources are compromised? There is no compromise. It is perfectly normal for a service to return content with links to arbitrary other sites. Even redirects to arbitrary other sites (open redirectors) — thought they cause some issues — don’t mean the protected resources are compromised. It just means clients need to be careful when following links and redirects on the web, and they need the right info to be able to be careful (such as when to include a token). All the “connections” in the Facebook API example shown below are to Facebook. If Facebook allowed user-generated values for some of these that could point to other sites, it wouldn’t mean Facebook was compromised technically, but it would mean a token should be include when getting some but not others. https://graph.facebook.com/btaylor?metadata=1 { "id": "220439", "name": "Bret Taylor", "first_name": "Bret", "last_name": "Taylor", "link": "http://www.facebook.com/btaylor", "location": { "id": 109650795719651, "name": "Los Gatos, California" }, "gender": "male", "metadata": { "connections": { "home": "https://graph.facebook.com/btaylor/home", "feed": "https://graph.facebook.com/btaylor/feed", "friends": "https://graph.facebook.com/btaylor/friends", "family": "https://graph.facebook.com/btaylor/family", "activities": "https://graph.facebook.com/btaylor/activities", "interests": "https://graph.facebook.com/btaylor/interests", "music": "https://graph.facebook.com/btaylor/music", "books": "https://graph.facebook.com/btaylor/books", "movies": "https://graph.facebook.com/btaylor/movies", "television": "https://graph.facebook.com/btaylor/television", "likes": "https://graph.facebook.com/btaylor/likes", "posts": "https://graph.facebook.com/btaylor/posts", "tagged": "https://graph.facebook.com/btaylor/tagged", "statuses": "https://graph.facebook.com/btaylor/statuses", "links": "https://graph.facebook.com/btaylor/links", "notes": "https://graph.facebook.com/btaylor/notes", "photos": "https://graph.facebook.com/btaylor/photos", "albums": "https://graph.facebook.com/btaylor/albums", "events": "https://graph.facebook.com/btaylor/events", "groups": "https://graph.facebook.com/btaylor/groups", "videos": "https://graph.facebook.com/btaylor/videos", "picture": "https://graph.facebook.com/btaylor/picture", "inbox": "https://graph.facebook.com/btaylor/inbox", "outbox": "https://graph.facebook.com/btaylor/outbox", "updates": "https://graph.facebook.com/btaylor/updates" } }, "type": "user" } -- James Manger
- [OAUTH-WG] Indicating sites where a token is valid Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Marius Scurtescu
- Re: [OAUTH-WG] Indicating sites where a token is … Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … David Recordon
- Re: [OAUTH-WG] Indicating sites where a token is … Manger, James H
- [OAUTH-WG] Redirects Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Torsten Lodderstedt
- Re: [OAUTH-WG] Redirects David Recordon
- Re: [OAUTH-WG] Redirects Luke Shepard
- Re: [OAUTH-WG] Redirects Torsten Lodderstedt
- Re: [OAUTH-WG] Indicating sites where a token is … Torsten Lodderstedt
- Re: [OAUTH-WG] Redirects Manger, James H
- Re: [OAUTH-WG] Redirects Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Manger, James H
- Re: [OAUTH-WG] Redirects David Recordon
- Re: [OAUTH-WG] Redirects Manger, James H
- Re: [OAUTH-WG] Redirects David Recordon
- Re: [OAUTH-WG] Redirects Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Torsten Lodderstedt
- Re: [OAUTH-WG] Indicating sites where a token is … Marius Scurtescu
- Re: [OAUTH-WG] Indicating sites where a token is … Marius Scurtescu
- Re: [OAUTH-WG] Indicating sites where a token is … David Recordon
- Re: [OAUTH-WG] Indicating sites where a token is … Manger, James H
- Re: [OAUTH-WG] SWT for indicating sites where a t… Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Eran Hammer-Lahav
- Re: [OAUTH-WG] Indicating sites where a token is … Eran Hammer-Lahav
- Re: [OAUTH-WG] Indicating sites where a token is … Richer, Justin P.
- Re: [OAUTH-WG] SWT for indicating sites where a t… Marius Scurtescu
- Re: [OAUTH-WG] Indicating sites where a token is … Evan Gilbert
- Re: [OAUTH-WG] SWT for indicating sites where a t… Manger, James H
- Re: [OAUTH-WG] SWT for indicating sites where a t… Marius Scurtescu
- Re: [OAUTH-WG] SWT for indicating sites where a t… Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … David Recordon
- Re: [OAUTH-WG] Indicating sites where a token is … Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … David Recordon
- Re: [OAUTH-WG] Indicating sites where a token is … Torsten Lodderstedt
- Re: [OAUTH-WG] SWT for indicating sites where a t… Marius Scurtescu
- Re: [OAUTH-WG] Indicating sites where a token is … Marius Scurtescu
- Re: [OAUTH-WG] SWT for indicating sites where a t… Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Evan Gilbert
- Re: [OAUTH-WG] Indicating sites where a token is … Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Evan Gilbert
- Re: [OAUTH-WG] Indicating sites where a token is … Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Evan Gilbert
- Re: [OAUTH-WG] Indicating sites where a token is … Eran Hammer-Lahav
- Re: [OAUTH-WG] Indicating sites where a token is … Evan Gilbert
- Re: [OAUTH-WG] Indicating sites where a token is … Eran Hammer-Lahav
- Re: [OAUTH-WG] Indicating sites where a token is … Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Evan Gilbert
- Re: [OAUTH-WG] Indicating sites where a token is … Brian Eaton
- Re: [OAUTH-WG] Indicating sites where a token is … Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Dick Hardt
- Re: [OAUTH-WG] Indicating sites where a token is … Eran Hammer-Lahav
- Re: [OAUTH-WG] Indicating sites where a token is … Dick Hardt
- Re: [OAUTH-WG] Indicating sites where a token is … Eran Hammer-Lahav