oauth2-demo-php icon indicating copy to clipboard operation
oauth2-demo-php copied to clipboard

Published 20 hours ago verified publisher icon bshaffer

Better Spec Compliance

Open avnr opened this issue 9 years ago • 1 comments

http://tools.ietf.org/html/rfc6749#section-3.1.2.5:

The client SHOULD NOT include any third-party scripts (e.g., third-party analytics, social plug-ins, ad networks) in the redirection endpoint response.

Yet the demo's redirect page includes a call to Google Analytics. I know that RFCs' SHOULD NOT is not as severe as MUST NOT, but after all people may be using the demo as a template app and end up exposing tokens via the GA info chain.

avnr avatar Jul 23 '15 19:07 avnr

Good catch! Wow, that's surprising, as from an analytics standpoint this is definitely important info to track.

bshaffer avatar Jul 24 '15 21:07 bshaffer