- From: noah <notifications@github.com>
- Date: Thu, 09 Sep 2021 13:01:57 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 9 September 2021 20:02:09 UTC
> @iamnoah do you pass the token to the redirect Location via GET params? Are you concerned with the fact that it will be both visible and logged everywhere in access logs (user proxies, web servers, potentially routers, etc) No, because it’s over https, so anything that can see the full url also can see normal cookies. The tokens are short lived. The real concern is XSS or something being able to make a request and get the token and immediately use it for an automated attack. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/763#issuecomment-916396088
Received on Thursday, 9 September 2021 20:02:09 UTC