Merge pull request #96 from oauthstuff/danielfett/ms-feedback

Microsoft feedback

Author: danielfett

A02_recommendations.md

@@ -110,7 +110,7 @@ access token replay as described in (#insufficient_uri_validation),
 (#credential_leakage_referrer), (#browser_history), and
 (#access_token_injection).
 
-Moreover, no viable method for sender-constraining exists to
+Moreover, no standardized method for sender-constraining exists to
 bind access tokens to a specific client (as recommended in
 (#token_replay_prevention)) when the access tokens are issued in the
 authorization response. This means that an attacker can use the leaked or stolen

A04_attacks-and-mitigations.md

@@ -106,7 +106,7 @@ The attack described above works for the implicit grant as well. If
 the attacker is able to send the authorization response to an attacker-controlled URI, the attacker will directly get access to the fragment carrying the
 access token.
 
-Additionally, implicit clients can be subject to a further kind of
+Additionally, implicit grants (and also other grants when using `response_mode=fragment` as defined in [@OAuth.Responses]) can be subject to a further kind of
 attack. It utilizes the fact that user agents re-attach fragments to
 the destination URL of a redirect if the location header does not
 contain a fragment (see [@!RFC9110], Section 17.11). The attack
@@ -211,8 +211,7 @@ from the authorization server's or the client's website, respectively. Most
 importantly, authorization codes or `state` values can be disclosed in
 this way. Although specified otherwise in [@RFC9110], Section 10.1.3,
 the same may happen to access tokens conveyed in URI fragments due to
-browser implementation issues, as illustrated by Chromium Issue 168213
-[@bug.chromium].
+browser implementation issues, as illustrated by a (now fixed) issue in the Chromium project [@bug.chromium].
 
 ### Leakage from the OAuth Client
 

B_references.md

@@ -53,7 +53,24 @@
   </front>
 </reference>
 
-
+<reference anchor="OAuth.Responses" target="https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html">
+  <front>
+    <title>OAuth 2.0 Multiple Response Type Encoding Practices</title>
+    <author initials="B." surname="de Medeiros" fullname="Breno de Medeiros">
+      <organization>Google</organization>
+    </author>
+    <author initials="M." surname="Scurtescu" fullname="Mihai Scurtescu">
+      <organization>Google</organization>
+    </author>
+    <author initals="P." surname="Tarjan" fullname="Peter Tarjan">
+      <organization>Facebook</organization>
+    </author>
+    <author initials="M." surname="Jones" fullname="Mike Jones">
+      <organization>Microsoft</organization>
+    </author>
+    <date day="25" month="Feb" year="2014"/>
+  </front>
+</reference>
 
 <reference anchor="owasp.redir" target="https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html">
   <front>
@@ -190,7 +207,7 @@
   <format target="https://www.doc.ic.ac.uk/~maffeis/papers/jcs14.pdf" type="pdf" />
 </reference>
 
-<reference anchor="bug.chromium" target="https://bugs.chromium.org/p/chromium/issues/detail?id=168213/">
+<reference anchor="bug.chromium" target="https://issues.chromium.org/issues/40076763/">
   <front>
     <title>Referer header includes URL fragment when opening link using New Tab</title>
     <author></author>

C_documenthistory.md

@@ -4,6 +4,7 @@
 
    -27
 
+   * Mostly editorial feedback from Microsoft incorporated
    * Feedback from SECDIR review incorporated
 
    -26