Re: [OAUTH-WG] draft-ietf-oauth-closing-redirectors has obsolete header for referer control

John Bradley <ve7jtb@ve7jtb.com> Thu, 03 August 2017 16:58 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B47C012F274 for <oauth@ietfa.amsl.com>; Thu, 3 Aug 2017 09:58:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OJjvZJYn2IOS for <oauth@ietfa.amsl.com>; Thu, 3 Aug 2017 09:58:44 -0700 (PDT)
Received: from mail-lf0-x22b.google.com (mail-lf0-x22b.google.com [IPv6:2a00:1450:4010:c07::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6AAF9132044 for <oauth@ietf.org>; Thu, 3 Aug 2017 09:58:43 -0700 (PDT)
Received: by mail-lf0-x22b.google.com with SMTP id t128so8680557lff.2 for <oauth@ietf.org>; Thu, 03 Aug 2017 09:58:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=jvvvd6YKkX+UuIrQPYkudkFJZQMMaNXhs3OllpitxNg=; b=susAcv7Q/2Hw1VVmWfy2izSrU6/UfpwXvO6SvvW3bzeNWyX0EN/lUsiZ3ap3vgQOw7 Bn4Bm/4skd3f8w10/OrgmwnQmIhpB+0i37c2EUlTuemFN6Un+v1/ZqhrE2et4OWoFwXy Re6lwx1/Jj6VF4p8G3pfcn6ZvCysXYpwj7syWhsKipNm33J8o1LBameW7Yz/QlHQGBOw pNAtZgjBiFTv0XLjuLyr6dui0VuFE/XGHSF2c9B0o2xqGXBI4QoHMAFd1yIV+kLUlfvU x7vZS0jvRORMnFfINRRzLPWfn4suy8NsBPQP2GHmHAkZczh0NCFl/kmsK75v7rBEzZGD Bwyg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=jvvvd6YKkX+UuIrQPYkudkFJZQMMaNXhs3OllpitxNg=; b=qiE6WuWRdg4pspMflR8d5CUWx/wXRIZjtlLAJ8P7fNpud4YUD8W9VXsGGBuTbz/U5B gKGhxsJGsoGpgwmMReF4DzeOrlaq3bRK1VZ5rNP327Owa62DSYLAp7T9jy7yW3/SiIyO 84nBZShYOGPF8J4LSuiZemDONTd73vILz4e21B5kAVzybbrGJ/KckkIsDvezLKoCOD/s UrGL1V4yaI4y30shcDENVPwGUQh96S+JsCNO3RwCC9Qtt5voTW5tpcM5a33Z3MTaBoR6 UHOr00mFGYDZatQ277uUtonKIrFZr1e7xdgo54TFXcGlzDOdjHbUWHW0iM+1Eqx93eK8 bEsA==
X-Gm-Message-State: AIVw110T995KXTeQcc7Yx7dfEDyxYrkDicJS7WGVlA0nq40Bxz1A2gmE TsP5JD1mrpAOMNRsfI9JMg==
X-Received: by 10.46.5.136 with SMTP id 130mr866510ljf.86.1501779521550; Thu, 03 Aug 2017 09:58:41 -0700 (PDT)
Received: from [192.168.86.103] ([191.115.81.54]) by smtp.gmail.com with ESMTPSA id m12sm6729817lfe.12.2017.08.03.09.58.39 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 03 Aug 2017 09:58:40 -0700 (PDT)
From: John Bradley <ve7jtb@ve7jtb.com>
Message-Id: <066BD9E2-9CD2-4546-96C5-6F49FD9E3F58@ve7jtb.com>
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Thu, 3 Aug 2017 12:58:38 -0400
In-Reply-To: <CA+k3eCSDRLGz_A1GSXX6R6CsmTvB8A3+Q7iWQB0Wkpa6XBUWfA@mail.gmail.com>
Cc: oauth <oauth@ietf.org>
To: Brian Campbell <bcampbell@pingidentity.com>
References: <CA+k3eCQjXGrfSzeNHu5VRQS0ZW+muZKMAZPWbBrEoaCuzM49Mw@mail.gmail.com> <F0247BE6-392F-4511-9A2B-D97A0A660DF1@ve7jtb.com> <CA+k3eCSu4Jnnm76HQ69T6fsadOBXfCYvOUG+fg5n5rwDwqg0AQ@mail.gmail.com> <C98A6C4C-15CF-4DE2-ABDD-B79A6C895746@ve7jtb.com> <CA+k3eCSDRLGz_A1GSXX6R6CsmTvB8A3+Q7iWQB0Wkpa6XBUWfA@mail.gmail.com>
X-Mailer: Apple Mail (2.3273)
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="001a114a69b2ee177e0555dc4af3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/8HYZDP6TypUGOQ8OSVo0k3Iepds>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-closing-redirectors has obsolete header for referer control
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Aug 2017 16:58:47 -0000

Good, so you could send both to be safe without it breaking.

John B.
> On Aug 3, 2017, at 12:55 PM, Brian Campbell <bcampbell@pingidentity.com>; wrote:
> 
> No, Chrome only shows the error message deep inside the developer tools console. 
> 
> On Thu, Aug 3, 2017 at 10:51 AM, John Bradley <ve7jtb@ve7jtb.com <mailto:ve7jtb@ve7jtb.com>> wrote:
> No one ever said that browsers are consistent.
> 
> I think Chrome has supported a subset of the new header for a while but won’t have full support until Chrome 61 gets out of beta.
> 
> Is chrome showing a user visible error with the old header?
> 
> Easiest thing would be to use the new header and deny access to anyone still using IE:)
> 
> John B.
> 
> 
>> On Aug 3, 2017, at 12:43 PM, Brian Campbell <bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com>> wrote:
>> 
>> Really all I know is that recent versions of Chrome complain that referrer is an unrecognized Content-Security-Policy directive, which led me to look up the changes and content in my original message.  
>> 
>> On Thu, Aug 3, 2017 at 9:35 AM, John Bradley <ve7jtb@ve7jtb.com <mailto:ve7jtb@ve7jtb.com>> wrote:
>> Brian 
>> 
>> To answer my own question to some extent, this page has support status for the browsers:
>> http://caniuse.com/#feat=referrer-policy <http://caniuse.com/#feat=referrer-policy>
>> 
>> It looks like only FireFox supports strict-origin.
>> 
>> Most of them support origin.
>> 
>> Some like IE, Opera Mini and older versions of Android (4) don’t support Referrer-Policy at all.
>> 
>> So I think 
>> Referrer-Policy: origin
>> 
>> With a note that you still need to use  Content-Security-Policy: for IE and Android (4).  There may be some other OEM provided browsers on Android from Samsung and others that may not have support but they are a small number in general.
>> 
>> John B.
>> 
>> 
>>> On Aug 2, 2017, at 6:46 PM, Brian Campbell <bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com>> wrote:
>>> 
>>> Not sure of the status at this point (it is expired) but the draft-ietf-oauth-closing-redirectors WG document in https://tools.ietf.org/html/draft-ietf-oauth-closing-redirectors-00#section-2.3 <https://tools.ietf.org/html/draft-ietf-oauth-closing-redirectors-00#section-2.3> suggests using the Content Security Policy header to limit the information sent in the referer something like this: 
>>> 
>>>   Content-Security-Policy: referrer origin;
>>> 
>>> Consistent with the latest draft of https://w3c.github.io/webappsec-referrer-policy/ <https://w3c.github.io/webappsec-referrer-policy/> and according to Mozilla (see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/referrer <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/referrer>) the Content-Security-Policy (CSP) referrer directive is obsolete and deprecated. And it looks like Referrer-Policy should be used instead for that purpose (again see Mozilla: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy>). So the draft-ietf-oauth-closing-redirectors document should probably suggest the Referrer-Policy something more like this:
>>> 
>>>    Referrer-Policy: strict-origin 
>>> 
>>> 
>>> 
>>> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>> 
>> 
>> 
>> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.
> 
> 
> 
> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.