I have recently been looking into the idea of using oauth2 on observablehq to access third-party resources. Essentially, building an API client to sign-in the user. But I was wondering about the security setup here.
Some background on a click jacking attack:
In other threads, I’ve seen discussion that because the notebook runs in a sandbox, it is secure. But the attack above describes someone hosting your notebook “invisibly” on their own site, and getting the user to interact with it unknowingly, making use of any persistent session data that the user has previously made available to your notebook when they interacted with it in a legitimate context.
This means that if we create controls in our notebooks that are able to setup an oauth2 context by retrieving access or id tokens or other secrets, we need to be careful about where they are persisted, if at all.
Has anyone explored this idea and whether a secure solution is possible?