commit: b6e4cb96ef44c291a0480aacbd1a3318854d3313
parent b62dc97a011f164cfebc0da7863fd9020a3721bc
Author: William Pitcock <nenolod@dereferenced.org>
Date: Fri, 12 Apr 2019 23:40:28 -0500
lice: add a note about fake direction attacks
Diffstat:
1 file changed, 12 insertions(+), 0 deletions(-)
diff --git a/lice.md b/lice.md
@@ -255,3 +255,15 @@ content that was not authorized by the granting server.
Implementations SHOULD include key properties of the child object when generating a
proof object, such as `content`, `name`, `summary` and `attachment`.
+
+
+## Fake Direction Spoofing
+
+A malicious server could present a proof object using a third-party domain or third-party
+actor.
+
+Implementations SHOULD verify that the proof object is created by the same actor which
+created the content being interacted with.
+
+Implementations SHOULD verify that the proof object is at the same domain as the object
+being interacted with.
