![]() when determining whether an issuer’s tokens would be considered securities under the Securities Act of 1933, as amended (the “Securities Act”), the cornerstone of U.S. Securities and Exchange Commission (the “SEC”) initially provided guidance in July 2017 directing practitioners to apply the test articulated in SEC v. Just as with issuances of founder’s stock, stock options and other traditional equity-based compensation, token-based compensation requires significant consideration from both a securities law and a tax law perspective. An emerging trend sees companies and virtual organizations leveraging the value of these tokens, not only for non-dilutive capital raising purposes, but also to compensate and incentivize founders, directors, employees, consultants and other service providers. Performing Subresource Integrity (SRI) checking in third-party scripts (where possible) to verify that the resources fetched are delivered without unexpected manipulation is also more secure.In the past year, blockchain tokens (more commonly referred to as “virtual tokens” or just “tokens”) have nudged their way into mainstream consciousness with the proliferation of “initial coin offerings,” or “ICOs,” and the blockbuster rises-and drops-in the prices of cryptocurrencies. The tokens code#Reduce the amount of third-party JavaScript code included from a source outside your domain to the minimum needed (such as links to jQuery, Bootstrap, Google Analytics etc.) Reducing third-party JS code reduces the possibility of an XSS vulnerability. ![]() To reduce the expiration time, go to Dashboard > APIs > Settings > Token Expiration For Browser Flows (Seconds). This reduces the impact of a reflected XSS attack (but not of a persistent one). To reduce security risks if your SPA is using implicit (we recommend using authorization code flow with PKCE instead) or hybrid flows, you can reduce the absolute token expiration time. A vulnerability leading to a successful XSS attack can be either in the SPA source code or in any third-party JavaScript code (such as bootstrap, jQuery, or Google Analytics) included in the SPA. ![]() Storing tokens in browser local storage provides persistence across page refreshes and browser tabs, however if an attacker can achieve running JavaScript in the SPA using a cross-site scripting (XSS) attack, they can retrieve the tokens stored in local storage. To make API calls, your SPA would then use the in-memory copy of the token. If you have a SPA with no corresponding backend server, your SPA should request new tokens on login and store them in memory without any persistence. A protocol needs to be established between the backend and the SPA to allow the secure transfer of the token from the backend to the SPA. If the SPA backend cannot handle the API calls, then it functions similar to a mobile application that stores tokens in the SPA backend, but the SPA needs to fetch the tokens from the backend to perform requests to the API. If the SPA backend can handle the API calls, then it functions similar to a tradition web application that handle tokens server-side using:Īuthorization Code Flow with Proof Key for Code Exchange When the SPA calls multiple APIs that reside in a different domain, access, and optionally, refresh tokens are needed. OAuth adds additional attack vectors without providing any additional value and should be avoided in favor of a traditional cookie-based approach. When the SPA calls only an API that is served from a domain that can share cookies with the domain of the SPA, no tokens are needed. We recommend using the Auth0 SPA SDK to handle token storage, session management, and other details for you. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |