Merge pull request #80 from oauthstuff/danielfett/fix-71

danielfett · web-flow · commit 1d550e38730b · 2023-06-05T17:48:22.000+02:00
Editorial change to fix #71
diff --git a/attacks-and-mitigations.md b/attacks-and-mitigations.md
@@ -172,9 +172,9 @@ fragment and obtain the access token.
    
 The complexity of implementing and managing pattern matching correctly obviously
 causes security issues. This document therefore advises to simplify the required
-logic and configuration by using exact redirect URI matching. This means
-the authorization server MUST compare the two URIs using simple string
-comparison as defined in [@!RFC3986], Section 6.2.1. The only exception are
+logic and configuration by using exact redirect URI matching. This means the
+authorization server MUST ensure that the two URIs are equal, see [@!RFC3986],
+Section 6.2.1, Simple String Comparison, for details. The only exception are
 native apps using a `localhost` URI: In this case, the AS MUST allow variable
 port numbers as described in [@!RFC8252], Section 7.3.
 
