You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I think I fixed the security hole with this change, but there are further security recommendations that I should follow, specifically around following redirects:
Step one: I'll follow the permanent URL redirects, with a maximum of 5 redirects - if that number is exceeded I'll error. If any temporary redirects are encountered I will error as well. Treat this as the finished URL.
Step two: fetch the HTML and check that it has an authorization_endpoint that matches the original one.
I think I fixed the security hole with this change, but there are further security recommendations that I should follow, specifically around following redirects:
https://indieauth.spec.indieweb.org/#differing-user-profile-urls
The text was updated successfully, but these errors were encountered: