In “Towards a standard for bearer token URLs”, I described a URL scheme that can be safely used to incorporate a bearer token (such as an OAuth access token) into a URL. That blog post concentrated on the technical details of how that would work and the security properties of the scheme. But as Tim Dierks […]| Neil Madden
In XSS doesn’t have to be Game Over, and earlier when discussing Can you ever (safely) include credentials in a URL?, I raised the possibility of standardising a new URL scheme that safe…| Neil Madden
A message I’m very used to seeing – but does XSS have to mean game over for web security? There’s a persistent belief among web security people that cross-site scripting (XSS) is a “gam…| Neil Madden