You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: draft-ietf-oauth-browser-based-apps.md
+8-6Lines changed: 8 additions & 6 deletions
Original file line number
Diff line number
Diff line change
@@ -167,17 +167,17 @@ the following terms:
167
167
This document discusses the security of browser-based applications, which are executed by the browser in a runtime environment. In most scenarios, these applications are JavaScript (JS) applications running in a JavaScript execution environment. Given the popularity of this scenario, this document uses the term "JavaScript" to refer to all mechanisms that allow code to execute in the application's runtime in the browser. The recommendations and considerations in this document are not exclusively linked to the JavaScript language or its runtime, but also apply to other languages and runtime environments in the browser.
168
168
169
169
"PKCE":
170
-
: PKCE refers to Proof Key for Code Exchange (PKCE) {{RFC7636}}, a mechanism
170
+
: Proof Key for Code Exchange (PKCE) {{RFC7636}}, a mechanism
171
171
to prevent various attacks on OAuth authorization codes.
172
172
173
173
"DPoP":
174
-
: DPoP {{RFC9449}} is a mechanism to restrict access tokens to be used only by the client they were issued to.
174
+
: OAuth 2.0 Demonstrating of Proof of Possession (DPoP) {{RFC9449}} is a mechanism to restrict access tokens to be used only by the client they were issued to.
175
175
176
176
"CORS":
177
-
: CORS refers to Cross-Origin Resource Sharing {{Fetch}}, a mechanism that enables exceptions to the browser's same-origin policy.
177
+
: Cross-Origin Resource Sharing {{Fetch}}, a mechanism that enables exceptions to the browser's same-origin policy.
178
178
179
179
"CSP":
180
-
: CSP refers to Content Security Policy {{-CSP3}}, a mechanism of restricting which resources a particular web page can fetch or execute.
180
+
: Content Security Policy {{-CSP3}}, a mechanism of restricting which resources a particular web page can fetch or execute.
181
181
182
182
183
183
History of OAuth 2.0 in Browser-Based Applications
@@ -213,7 +213,7 @@ Unfortunately, history shows that even when applying these security guidelines,
213
213
214
214
Applications might obtain OAuth tokens that confer authorization
215
215
necessary to their functioning. In combination, this effectively gives
216
-
compromised code the ability to use that authorization for malicious ends
216
+
compromised code the ability to use that authorization for malicious ends.
217
217
Though the risk of attacker abuse of authorization is unavoidable, there are
218
218
ways to limit the extent to which a compromised application can abuse that
219
219
authorization. For instance, this access might be limited to times when the
@@ -327,7 +327,7 @@ The application can use DPoP to ensure its access tokens are bound to non-export
327
327
328
328
### Client Hijacking {#consequence-hijack}
329
329
330
-
When stealing tokens is not possible or desirable, the attacker can also choose to hijack the OAuth client application running in the user's browser. This effectively allows the attacker to perform any operations that the legitimate client application can perform. Examples include inspecting data on the page, modifying the page, and sending requests to backend systems. alternatively, the attacker can also abuse their access to the application to launch additional attacks, such as tricking the client into acting on behalf of the attacker using an attack such as session fixation.
330
+
When stealing tokens is not possible or desirable, the attacker can also choose to hijack the OAuth client application running in the user's browser. This effectively allows the attacker to perform any operations that the legitimate client application can perform. Examples include inspecting data on the page, modifying the page, and sending requests to backend systems. Alternatively, the attacker can also abuse their access to the application to launch additional attacks, such as tricking the client into acting on behalf of the attacker using an attack such as session fixation.
331
331
332
332
Note that client hijacking is less powerful than directly abusing stolen user tokens. In a client hijacking scenario, the attacker cannot directly control the tokens and is restricted by the security policies enforced on the client application. For example, a resource server running on `admin.example.org` can be configured with a CORS policy that rejects requests coming from a client running on `web.example.org`. Even if the access token used by the client would be accepted by the resource server, the resource server's strict CORS configuration does not allow such a request. A resource server without such a strict CORS policy can still be subject to adversarial requests coming from the compromised client application.
0 commit comments