[openstreetmap/openstreetmap-website] OAuth flow should show more information about the application requesting rights (Issue #4217)
Pieter Vander Vennet
notifications at github.com
Fri Sep 1 21:34:00 UTC 2023
> I don't see that it helps anyway as surely your hypothetical attacker would just enter your URL in the same way they could enter MapComplete as an application name. Unless you're expecting us to start manually approving all applications collecting and displaying extra data isn't going to prove anything.
This is where the 'redirect URLs' come in. If a URL is entered, the redirect after authorization should be to only this entered URL, thus bringing the victim back to the trusted, actual application that they think they are authorizing.
--
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/4217#issuecomment-1703341126
You are receiving this because you are subscribed to this thread.
Message ID: <openstreetmap/openstreetmap-website/issues/4217/1703341126 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20230901/fae56593/attachment.htm>
More information about the rails-dev
mailing list