CORS requests against OIDC
liamr at umich.edu
Wed May 15 21:10:16 EDT 2019
On Wed, May 15, 2019 at 5:27 PM Cantor, Scott <cantor.2 at osu.edu> wrote:
> > Does that seem reasonable?
> I'm a bad choice to comment, but my feeling is that opening up any IdP
> path to CORS essentially guarantees malware exfiltration of sessions. This
> is either decently mitigated by network bound sessions or not, based on how
> hard you think client IP spoofing is.
It is basically implementing what's described at
The SAML endpoints would suffer from the same vulnerable, right?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users