Does OAuth reuse tokens across domains? If not, doesn't this just mean it is requesting an auth token for ghrc (the "fake" domain) but it can't access any auth tokens for ghcr (the real domain)?
Reminder not to use goofy TLDs, being cute is not worth it when compared to security. There's no guarantees that the process for taking down a malicious domain will be as smooth as a .com.
I'd rather deal with US verisign rather than the British Indian Ocean territory or colombia or anguila
One reason why you should never think or say ghcr, but always github container register, even if that is longer. You should have enough time for not getting trapped.
Root cause a stupid FLA of course. For several months I thought it means Google whatever register.
22 comments
[ 3.1 ms ] story [ 54.6 ms ] thread<https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Aut...>
Threats section for Bearer tokens: <https://datatracker.ietf.org/doc/html/rfc6750#section-5.2>
Does OAuth reuse tokens across domains? If not, doesn't this just mean it is requesting an auth token for ghrc (the "fake" domain) but it can't access any auth tokens for ghcr (the real domain)?
Thank you for this.
[1] https://docs.github.com/en/packages/working-with-a-github-pa...
Edit: most relevant issues?
https://github.com/orgs/community/discussions/38467
https://github.com/github/roadmap/issues/558
I'd rather deal with US verisign rather than the British Indian Ocean territory or colombia or anguila
Root cause a stupid FLA of course. For several months I thought it means Google whatever register.
curl -i -v https://ghrc.io/v2/ * Trying 128.199.6.40:443...