Open rfk opened 11 years ago
The JS helper passes an "audience" string along with the generated assertion, as seen here:
https://github.com/iriscouch/browserid_couchdb/blob/master/priv/main.js#L26
Why? AFAICT this value is ignored by the server-side code, and it would be a huge security issue to trust a client-submitted audience value.
The JS helper passes an "audience" string along with the generated assertion, as seen here:
https://github.com/iriscouch/browserid_couchdb/blob/master/priv/main.js#L26
Why? AFAICT this value is ignored by the server-side code, and it would be a huge security issue to trust a client-submitted audience value.