-
assigned issue to
John Bradley
Registration - 5 - Security issue with displaying client URLs
Issue #488
resolved
I think we need to add some text regarding this security consideration.
In a situation where the OP is supporting open client registration, it must be extremely careful with any URL provided by the client that will be displayed to the user (e.g. logo_url and policy_url). A rogue client could specify a registration request with a reference to a drive-by download in the policy_url. The OP should check to see if the logo_url and policy_url have the same host as the hosts defined in the array of redirect_uris.
I have added it as a place holder. We should consider if there are legitimate reasons to have the logo_url or policy_url on a separate host. Embedded clients and native apps come to mind.