Assume the browser-side code is trusted on a website: The frontend is a static website, it's open source, and the loaded files are regularly checksummed. It doesn't send data to the server. For the sake of this argument, just assume the loaded files and scripts are not being maliciously altered by the resource server (Server A).
Now, I'm some other server (Server B) and I want to give the user on this website a secret, for example, a JWT, so the user can make requests to Server B from Server A's website. I would prefer to not have the secret be visible to the resource server (Server A).
Is there a way to pass a secret to the user through a redirect or by some other means, without it being shown to Server A?
I can design Server A and Server B, the only security requirement is that Server A should not be able to see the secrets Server B passes to the user of Server A's website.
Aucun commentaire:
Enregistrer un commentaire