litepub.socialWebsite of https://litepub.social/
Author: William Pitcock <firstname.lastname@example.org>
Date: Fri, 12 Apr 2019 23:40:28 -0500
lice: add a note about fake direction attacks
1 file changed, 12 insertions(+), 0 deletions(-)
diff --git a/lice.md b/lice.md
@@ -255,3 +255,15 @@ content that was not authorized by the granting server.
Implementations SHOULD include key properties of the child object when generating a
proof object, such as `content`, `name`, `summary` and `attachment`.
+## Fake Direction Spoofing
+A malicious server could present a proof object using a third-party domain or third-party
+Implementations SHOULD verify that the proof object is created by the same actor which
+created the content being interacted with.
+Implementations SHOULD verify that the proof object is at the same domain as the object
+being interacted with.