Think of it this way: The server is trying to send some ... • Aaron Parecki

45°F

alianora https://cybre.space/@nightpool • May 2
@aaronpk This is a good post! But I'm having trouble trying to understand the attack that the authorization flow is protecting against. How can a token be stolen "in transit back to the application"?

Think of it this way: The server is trying to send some sensitive data to the application, but has no direct communication channel, and instead has to trust some other piece of software (the browser) to deliver it.

Mountain View, California • 49°F

Thu, May 2, 2019 8:40am -07:00

1 reply
Have you written a response to this? Let me know the URL:
- alianora cybre.space/@nightpool
  
  @aaronpk sorry I guess I should have specified "with https". doesn't https' security model encompass this one?
  
  Thu, May 2, 2019 3:57pm +00:00

Posted in /replies using monocle.p3k.io