As discussed on the OSW, this PR adds a small section with security considerations on the use of postMessage (a.k.a. "web messaging") to this draft. It makes reference to Section 4.18 of the OAuth BCP, which already discusses the security implications of in-browser communication flows in detail.
Since (silent) iframe flows and popup flows are especially used in browser-based apps, we think that it makes sense to include security considerations of their in-browser communication into this draft. Please let us know what you think about this. We appreciate any feedback.
aaronpk
commented
5 months ago
As discussed on the OSW, this PR adds a small section with security considerations on the use of
postMessage(a.k.a. "web messaging") to this draft. It makes reference to Section 4.18 of the OAuth BCP, which already discusses the security implications of in-browser communication flows in detail.Since (silent) iframe flows and popup flows are especially used in browser-based apps, we think that it makes sense to include security considerations of their in-browser communication into this draft. Please let us know what you think about this. We appreciate any feedback.