Skip to content

Fix consent information #38

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
michielbdejong merged 3 commits into from
Jan 16, 2025
Merged

Fix consent information #38

michielbdejong merged 3 commits into from
Jan 16, 2025

Conversation

@michielbdejong
Copy link
Collaborator

@michielbdejong michielbdejong commented Dec 4, 2024
edited
Loading

Better information to the end user, about what the application is getting access to.

@michielbdejong michielbdejong marked this pull request as draft December 4, 2024 13:19
@michielbdejong michielbdejong force-pushed the fix-consent-information branch from 189ca44 to 14a0b55 Compare December 10, 2024 11:22
@michielbdejong
Copy link
Collaborator Author

michielbdejong commented Dec 10, 2024

Rebased and implemented more cleanly, now that I understand config overrides. I inserted the word 'full' in the phrase 'An application is requesting full access' and the word 'all' in 'Do you trust this application to read and write all your data on your behalf?'. Leaving them out would be downplaying the impact of 'accept', and would make the consent unusable:
Screenshot 2024-12-10 at 12 22 42

@michielbdejong michielbdejong marked this pull request as ready for review December 10, 2024 11:25
@michielbdejong
Copy link
Collaborator Author

michielbdejong commented Dec 13, 2024

No need to merge this before the migration. Would prefer to get some more reviews and merge in January 2025.

@michielbdejong michielbdejong mentioned this pull request Jan 6, 2025
Closed
2 tasks
@michielbdejong michielbdejong added this to the security milestone Jan 14, 2025
@michielbdejong michielbdejong mentioned this pull request Jan 14, 2025
Closed
@michielbdejong
Copy link
Collaborator Author

michielbdejong commented Jan 16, 2025

After investigating solid/web-access-control-spec#34 (comment) and realising that acl:origin in WAC is not an implementation of client identification, it's clear to me we do need to adopt this security improvement now; merging.

@michielbdejong michielbdejong merged commit 66aab65 into main Jan 16, 2025
@michielbdejong michielbdejong deleted the fix-consent-information branch January 16, 2025 11:16
@michielbdejong michielbdejong mentioned this pull request Jan 23, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

security

Development

Successfully merging this pull request may close these issues.

2 participants

@michielbdejong