Re: [OAUTH-WG] draft-ietf-oauth-closing-redirectors has obsolete header for referer control

Brian Campbell <bcampbell@pingidentity.com> Thu, 03 August 2017 16:44 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3E2F13256A for <oauth@ietfa.amsl.com>; Thu, 3 Aug 2017 09:44:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0rAbiX5Khcgv for <oauth@ietfa.amsl.com>; Thu, 3 Aug 2017 09:44:31 -0700 (PDT)
Received: from mail-pg0-x22c.google.com (mail-pg0-x22c.google.com [IPv6:2607:f8b0:400e:c05::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F15AC13255A for <oauth@ietf.org>; Thu, 3 Aug 2017 09:44:30 -0700 (PDT)
Received: by mail-pg0-x22c.google.com with SMTP id v77so8344499pgb.3 for <oauth@ietf.org>; Thu, 03 Aug 2017 09:44:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Rd4fn3qiTB1elGIkQO75J6inst50VRxfgSVOln32lvA=; b=Ka0S+jm12TYBMb/ceI4C/rJZlY3l3dM7J97ZUtNtnyG1JJxeZwP0J2dCFdadzuPrmI HJyAR34q0yAwEE8ZCJgOLUI5TlIbgNzhXR8PIwhlO1tBRRQcRauLuBKdKmACguEQrKSj 28pXTfYKI8tBrzRVmhGoEGLtreqAJR+ZtgUiY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Rd4fn3qiTB1elGIkQO75J6inst50VRxfgSVOln32lvA=; b=T/eB451roW7MOjQZe+2tGUIK21wejcGa6rVAzbwJeH9MyEHfOQrQjhFv/8ZEjtAPXn objgW6Bg2cyIgeQGoy0mJvgQJGN1I8A4TXTf7d8kIbYpyAKZQ2BWJzA3vyWEZTu+NbeY OqaiIVgHtfRN+dgMx6x+UCr1wqdbNTo7ueToKe+WcXCqehFCdrqcXGnVzTqDPPPcbQ76 Jb+kqrBmqEOOdbqtZ5BHtvqkGQqRht6LGM8sLIuZCdpY/H+WQfs5YksEmvcmwNiWZoTv ZSS5lSoXqCnubtTLEnI1QzP7dK8uVBQGK/vdMqna6Nz/Rx7PFa+si82/DdXz4Re1xWZP M/nQ==
X-Gm-Message-State: AIVw111BHmOid7qbV2ZSG5liUpR9js7M/lLRvyRn5F+BRa5oMthkupus 5gZKVsszWhCXz3oEh7kIIwQ1jAqDYoCphHnmPlRKvy4pVli1raPjXJfQtr0nUyIlqFhJJugrGwy DNSVpmdM=
X-Received: by 10.99.103.129 with SMTP id b123mr2141017pgc.14.1501778670378; Thu, 03 Aug 2017 09:44:30 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.182.230 with HTTP; Thu, 3 Aug 2017 09:43:59 -0700 (PDT)
In-Reply-To: <F0247BE6-392F-4511-9A2B-D97A0A660DF1@ve7jtb.com>
References: <CA+k3eCQjXGrfSzeNHu5VRQS0ZW+muZKMAZPWbBrEoaCuzM49Mw@mail.gmail.com> <F0247BE6-392F-4511-9A2B-D97A0A660DF1@ve7jtb.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Thu, 3 Aug 2017 10:43:59 -0600
Message-ID: <CA+k3eCSu4Jnnm76HQ69T6fsadOBXfCYvOUG+fg5n5rwDwqg0AQ@mail.gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c0568ce2e00950555dc1844"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ErrPXGW4d2qVKuGd3M6Bp7_fAAI>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-closing-redirectors has obsolete header for referer control
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Aug 2017 16:44:33 -0000

Really all I know is that recent versions of Chrome complain that referrer
is an unrecognized Content-Security-Policy directive, which led me to look
up the changes and content in my original message.

On Thu, Aug 3, 2017 at 9:35 AM, John Bradley <ve7jtb@ve7jtb.com>; wrote:

> Brian
>
> To answer my own question to some extent, this page has support status for
> the browsers:
> http://caniuse.com/#feat=referrer-policy
>
> It looks like only FireFox supports strict-origin.
>
> Most of them support origin.
>
> Some like IE, Opera Mini and older versions of Android (4) don’t support
> Referrer-Policy at all.
>
> So I think
> Referrer-Policy: origin
>
> With a note that you still need to use  Content-Security-Policy: for IE
> and Android (4).  There may be some other OEM provided browsers on Android
> from Samsung and others that may not have support but they are a small
> number in general.
>
> John B.
>
>
> On Aug 2, 2017, at 6:46 PM, Brian Campbell <bcampbell@pingidentity.com>;
> wrote:
>
> Not sure of the status at this point (it is expired) but the
> draft-ietf-oauth-closing-redirectors WG document in
> https://tools.ietf.org/html/draft-ietf-oauth-closing-
> redirectors-00#section-2.3 suggests using the Content Security Policy
> header to limit the information sent in the referer something like this:
>
>   Content-Security-Policy: referrer origin;
>
> Consistent with the latest draft of https://w3c.github.io/webappse
> c-referrer-policy/ and according to Mozilla (see
> https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Co
> ntent-Security-Policy/referrer) the Content-Security-Policy (CSP)
> referrer directive is obsolete and deprecated. And it looks like
> Referrer-Policy should be used instead for that purpose (again see Mozilla:
> https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy).
> So the draft-ietf-oauth-closing-redirectors document should probably
> suggest the Referrer-Policy something more like this:
>
>    Referrer-Policy: strict-origin
>
>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*_______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>

-- 
*CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you.*