[openstreetmap/openstreetmap-website] Add support for OAuth 2 (#3177)
mmd
notifications at github.com
Thu Apr 15 11:57:53 UTC 2021
> [Access token in URL query string]
According to https://tools.ietf.org/html/rfc6750#section-5.3, this approach isn't recommended:
> Don't pass bearer tokens in page URLs: Bearer tokens SHOULD NOT be
> passed in page URLs (for example, as query string parameters).
> Instead, bearer tokens SHOULD be passed in HTTP message headers or
> message bodies for which confidentiality measures are taken.
> Browsers, web servers, and other software may not adequately
> secure URLs in the browser history, web server logs, and other
> data structures. If bearer tokens are passed in page URLs,
> attackers might be able to steal them from the history data, logs,
> or other unsecured locations.
Adding this logic would be easily doable for sure. It feels a bit like encouraging bad practices, though.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/pull/3177#issuecomment-820366578
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20210415/d399d720/attachment.htm>
More information about the rails-dev
mailing list