IETF Logo Mail Archive

Re: [OAUTH-WG] draft-parecki-oauth-browser-based-apps and response_type/fragment

Jim Manico <jim@manicode.com> Sun, 09 December 2018 15:22 UTC

Return-Path: <jim@manicode.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A41C130EF2 for <oauth@ietfa.amsl.com>; Sun, 9 Dec 2018 07:22:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=manicode.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wCN7fO1pT8Eq for <oauth@ietfa.amsl.com>; Sun, 9 Dec 2018 07:22:28 -0800 (PST)
Received: from mail-qk1-x72a.google.com (mail-qk1-x72a.google.com [IPv6:2607:f8b0:4864:20::72a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 047751277BB for <oauth@ietf.org>; Sun, 9 Dec 2018 07:22:27 -0800 (PST)
Received: by mail-qk1-x72a.google.com with SMTP id q70so5158788qkh.6 for <oauth@ietf.org>; Sun, 09 Dec 2018 07:22:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=manicode.com; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=n8C5piO0jRytsPelYU0K/nIP8IJQ4A+SrMrbwO6N9Ts=; b=Wiqm3moHIVQhgXrGyRb6QdLGn3Mw7YapAmgOTqg6wPKjKJtPMRqnFaozE3Z98vZz44 kaCYBbWD5CisEhmP4NzGhJFC94jHK/zJZkLKGt5H/FlU96xUwR1P+b90gLH5342kk4yY 7/T/IL3tHgWH6IAT+AvVtgiJh63EvkOI07EWUdtgR+owILQ2OAqexMpseOqEeSihEghw uISvE/qftMZWu45j4IRBwQ6IsldB1oQDcG2XlWebdTY1XuBhikY3KbrncSSXYOvEmsjA PTaNUBXUpkIdv7TqJfY1WaOxHIbgLqqcSvNdu7vEQupwcC1ImCtkLDNa9MqMebEjxhyy zcMA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=n8C5piO0jRytsPelYU0K/nIP8IJQ4A+SrMrbwO6N9Ts=; b=AhQRJILrCBAHowEWDp1NFx+LBs7wciHVrR9KDEiWpJ/hiDWseNXJLpDxS9PEkWXoaI DtKzE6vOXFv9s8hMnfnInBOHSXwbml4X4Qf613HUY112vk6l2s0eZzgoX2M2D7WYGh/v IJSu48EJxNdfqTYmoJ0El6guJG+VgIo4Bxc6kcJhyV8gDpFiLqD11HgpsG5tpbfAEkY+ LPvFu9n2NIsWG/7ohk874jtY6OFRiLVlgm8zl+yAdMiM8iQYfUoCEuc0wveKO/mLY1c4 McVHp0iuh5KttDPWKgpITSXzX5BK3qe7Y3cuRlbbkY9qPkHL+2hkQtWb41iREfa6X3X2 xPqg==
X-Gm-Message-State: AA+aEWawEsYR4iVFhArf2rUwWhiIFjhEv5dj9mywCCNEdZrVf68KGPtR wHXj5y5rs4DdKk6+DqT2VGLU9w==
X-Google-Smtp-Source: AFSGD/VGxvmNsTb+4M0CQ7FfE15Dp/pfNTueRqDsPVNn+VtWEbpeRT82bRM5yihdJPyjySihOa2+Bw==
X-Received: by 2002:ae9:ef8a:: with SMTP id d132mr7924730qkg.11.1544368946782; Sun, 09 Dec 2018 07:22:26 -0800 (PST)
Received: from [10.38.127.203] (mobile-107-107-56-28.mycingular.net. [107.107.56.28]) by smtp.gmail.com with ESMTPSA id p42sm5372082qte.8.2018.12.09.07.22.25 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 09 Dec 2018 07:22:25 -0800 (PST)
Content-Type: multipart/alternative; boundary="Apple-Mail-2C358F33-D4D2-42C8-AE38-EDD715676A5E"
Mime-Version: 1.0 (1.0)
From: Jim Manico <jim@manicode.com>
X-Mailer: iPhone Mail (16C50)
In-Reply-To: <CALAqi__Y4ER=xiNkOmEudNS30vsQhuudO9uQU8nPMcxX2suLZQ@mail.gmail.com>
Date: Sun, 09 Dec 2018 10:22:24 -0500
Cc: Brock Allen <brockallen@gmail.com>, oauth <oauth@ietf.org>
Content-Transfer-Encoding: 7bit
Message-Id: <4EF1B845-FDDA-4E2A-8F5F-8F9620484885@manicode.com>
References: <6d88c55a-a300-47ff-af77-8fdb7dcfbc25@getmailbird.com> <CAGBSGjrj95i97mVDJq7jDA0DsLH-NasiH+E0nqc+6XjL-mnt4Q@mail.gmail.com> <c33d0aef-bc34-4daa-8bc9-8252780f4e69@getmailbird.com> <CAGBSGjqQPRUe+AhzoRcTGf5MTOATd-875JG90RcRQ+2Hoy2wyg@mail.gmail.com> <d34d9d15-6b50-4b1e-8483-80f0ab709a98@getmailbird.com> <F9914ABE-3C3F-4BCE-B623-AECF18E737F9@alkaline-solutions.com> <eeeed3ba-10d3-4b42-9da2-1460d13e4351@getmailbird.com> <CALAqi__Y4ER=xiNkOmEudNS30vsQhuudO9uQU8nPMcxX2suLZQ@mail.gmail.com>
To: Filip Skokan <panva.ip@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/0QAc1kRGoUF0IOorBVXwpLGhFWQ>
Subject: Re: [OAUTH-WG] draft-parecki-oauth-browser-based-apps and response_type/fragment
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Dec 2018 15:22:30 -0000

Please keep in mind that these referrer removing standards are relatively new and do not work in older browsers. Sensitive data of any kind in URL’s is still a very basic insecure coding practice and has no place in standards. Check out caniuse for how fractured support is for even modern browsers. IE, Edge and Safari iOS still have only partial support.

--
Jim Manico
@Manicode
Secure Coding Education
+1 (808) 652-3805

> On Dec 9, 2018, at 9:23 AM, Filip Skokan <panva.ip@gmail.com> wrote:
> 
> As David suggested,
> 
> it is easier to get rid of the code from a query using a referrer policy header or a meta than getting rid of a fragment which would require the each client to have a javascript snippet rewriting the current window.location.hash
> 
> S pozdravem,
> Filip Skokan
> 
> 
>> On Sun, Dec 9, 2018 at 2:53 PM Brock Allen <brockallen@gmail.com> wrote:
>> Yes, I meant response_mode. Thanks.
>> 
>> And those are good points about the referrer policy. Thanks for that insight as well. 
>> 
>> In the context of this thread/topic, I'm assuming browser-based JS clients, and a common deployment is from a CDN, so I suspect the <meta> tag approach for a referrer policy is sufficient (especially since many SPAs are designed for CDN deployment)?
>> 
>> -Brock
>> 
>>> On 12/9/2018 3:00:23 AM, David Waite <david@alkaline-solutions.com> wrote:
>>> 
>>> I assume the original post meant response_mode, not response_type.
>>> 
>>> Fragments have their own data leakage problems, in particular they are preserved on 3xx redirects (per https://tools.ietf.org/html/rfc7231#section-7.1.2). The form_post mode is the safest, but unfortunately was not defined in the original specifications so it doesn’t have as widespread support.
>>> 
>>> In the absence of a response_mode RFC, I would typically suggest both killing the code in the referrer as part of processing, and a server-wide Referrer Policy of never or origin (as those have reasonably broad support) as server-wide response headers are easier to operationally audit.
>>> 
>>> -DW
>>> 
>>>> On Dec 8, 2018, at 3:53 PM, Brock Allen <brockallen@gmail.com> wrote:
>>>> 
>>>> Not pure OAuth. This only came up as a question while I was implementing code flow/pkce for oidc-client-js.
>>>> 
>>>> I can appreciate not expanding the current OAuth2 behavior in the BCP, so that's fair. I only wanted to mention it in case it had not been considered.
>>>> 
>>>> Having said that, I think I will implement an optional response_type in my code flow/pkce to allow fragment, but default to query (as that's the default for pure code flow).
>>>> 
>>>> -Brock
>>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email