search

w3c / webappsec-change-password-url

A Well-Known URL for Changing Passwords
https://w3c.github.io/webappsec-change-password-url/
Other
899 stars 27 forks source link

Consider restricting the target of the redirect to be same-origin #8

Closed hober closed 4 years ago

hober commented 5 years ago

See https://news.ycombinator.com/item?id=18618534

jbtule commented 5 years ago

If you restrict the target of the redirect to same origin, it becomes crippled in federated login environments.

othermaciej commented 5 years ago

I don't think this is necessary, I agree with this counterpoint: https://news.ycombinator.com/item?id=18618930

hober commented 4 years ago

@jbtule, @othermaciej okay, I'm sold. Closing.