CSRF protection using state parameter

kylewm / flask-micropub

Flask extension to support IndieAuth and Micropub clients.

http://flask-micropub.readthedocs.org/

BSD 2-Clause "Simplified" License

24 stars 2 forks source link

CSRF protection using state parameter #2

Open kylewm opened 9 years ago

kylewm commented 9 years ago

we need to protect against malicious redirects by adding a verifiable signature to the state parameter (in addition to the app-supplied next_url). TODO understand this better.

http://tools.ietf.org/html/rfc6749#section-10.12 http://www.twobotechnologies.com/blog/2014/02/importance-of-state-in-oauth2.html

kylewm commented 9 years ago

fixed in c8494277a8cf59300adbb1ebc39955b80b88fd88