Re: [OAUTH-WG] Redirects

[David Recordon <recordond@gmail.com>]

I thought this thread was about https://graph.facebook.com/btaylor returning
a HTTP redirect, not about following links returned within the result?


On Thu, May 6, 2010 at 11:28 PM, Manger, James H <
James.H.Manger@team.telstra.com> wrote:

>  > Don't you have larger problems if your protected resources are
> compromised?
>
>
>
>
>
> There is no compromise.
>
> It is perfectly normal for a service to return content with links to
> arbitrary other sites.
>
> Even redirects to arbitrary other sites (open redirectors) — thought they
> cause some issues — don’t mean the protected resources are compromised.
>
> It just means clients need to be careful when following links and redirects
> on the web, and they need the right info to be able to be careful (such as
> when to include a token).
>
>
>
>
>
> All the “connections” in the Facebook API example shown below are to
> Facebook. If Facebook allowed user-generated values for some of these that
> could point to other sites, it wouldn’t mean Facebook was compromised
> technically, but it would mean a token should be include when getting some
> but not others.
>
>
>
> https://graph.facebook.com/btaylor?metadata=1
>
> {
>
>    "id": "220439",
>
>    "name": "Bret Taylor",
>
>    "first_name": "Bret",
>
>    "last_name": "Taylor",
>
>    "link": "http://www.facebook.com/btaylor",
>
>    "location": {
>
>       "id": 109650795719651,
>
>       "name": "Los Gatos, California"
>
>    },
>
>    "gender": "male",
>
>    "metadata": {
>
>       "connections": {
>
>          "home": "https://graph.facebook.com/btaylor/home",
>
>          "feed": "https://graph.facebook.com/btaylor/feed",
>
>          "friends": "https://graph.facebook.com/btaylor/friends",
>
>          "family": "https://graph.facebook.com/btaylor/family",
>
>          "activities": "https://graph.facebook.com/btaylor/activities",
>
>          "interests": "https://graph.facebook.com/btaylor/interests",
>
>          "music": "https://graph.facebook.com/btaylor/music",
>
>          "books": "https://graph.facebook.com/btaylor/books",
>
>          "movies": "https://graph.facebook.com/btaylor/movies",
>
>          "television": "https://graph.facebook.com/btaylor/television",
>
>          "likes": "https://graph.facebook.com/btaylor/likes",
>
>          "posts": "https://graph.facebook.com/btaylor/posts",
>
>          "tagged": "https://graph.facebook.com/btaylor/tagged",
>
>          "statuses": "https://graph.facebook.com/btaylor/statuses",
>
>          "links": "https://graph.facebook.com/btaylor/links",
>
>          "notes": "https://graph.facebook.com/btaylor/notes",
>
>          "photos": "https://graph.facebook.com/btaylor/photos",
>
>          "albums": "https://graph.facebook.com/btaylor/albums",
>
>          "events": "https://graph.facebook.com/btaylor/events",
>
>          "groups": "https://graph.facebook.com/btaylor/groups",
>
>          "videos": "https://graph.facebook.com/btaylor/videos",
>
>          "picture": "https://graph.facebook.com/btaylor/picture",
>
>          "inbox": "https://graph.facebook.com/btaylor/inbox",
>
>          "outbox": "https://graph.facebook.com/btaylor/outbox",
>
>          "updates": "https://graph.facebook.com/btaylor/updates"
>
>       }
>
>    },
>
>    "type": "user"
>
> }
>
>
>
>
>
> --
>
> James Manger
>