Re: [OAUTH-WG] draft-ietf-oauth-closing-redirectors has obsolete header for referer control

Brian Campbell <bcampbell@pingidentity.com> Thu, 03 August 2017 16:56 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09312132422 for <oauth@ietfa.amsl.com>; Thu, 3 Aug 2017 09:56:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vPh28wIswDbf for <oauth@ietfa.amsl.com>; Thu, 3 Aug 2017 09:56:01 -0700 (PDT)
Received: from mail-pg0-x22d.google.com (mail-pg0-x22d.google.com [IPv6:2607:f8b0:400e:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7672E126BF3 for <oauth@ietf.org>; Thu, 3 Aug 2017 09:56:01 -0700 (PDT)
Received: by mail-pg0-x22d.google.com with SMTP id l64so8405868pge.5 for <oauth@ietf.org>; Thu, 03 Aug 2017 09:56:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=7VJHifVsFiipMTT4/HxxQfbJrb5OuqghV9cBwh17hZg=; b=VF6gVN0yjRIIkiWtNoLFAy77UvTWTPLTgqS/0w/kW6/vQfopTJAspG3aLI4J7WFp1Z VYqCeVQ51fKW5uwsgkGMWnhZPUV8lhzSP8bnEZdYZxfj+tWwoFdTu//UbWFC74NM+oYX uDdEVGNwTzuaTA14DyEEMXcFnXRCvyvE7K7cg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=7VJHifVsFiipMTT4/HxxQfbJrb5OuqghV9cBwh17hZg=; b=g2u82Utk1zgfzAkU0VHmC9KiVG0Wf+c+vvm+kRwzZtuXBSHayaKx7vsjbTndoAONtk 9G16hsYNQhxin01PfoJxftqnOkIcpLYRoo08t0gBl3MgGOKT1gtu3wz8PTbJqZzB5Fmy sfSqyDMSG83zWfQWC5BMHwEZVMvBGcth1SsWoWd4g7uS894tsa+7GoTebMoEllYHJ9lH J5klk0CQojxwLfnVkHYCWwbDPCSE+Qj2ruUZpmafyfXRfZiFHXPAQRCvlH+zOmx2MhCS /TdzY/vA2HAvFPTMcEOf+gONYyXSDpoQxHMVNqJYn1u/OUqyCfSBJE+aXeeKH3OV5YNL VdLA==
X-Gm-Message-State: AIVw112jnI5XqFZo5XFhHI8VMkfcH186zIZGSi9vN3oRUucwqk5oC49t BfuvuOloDuG6yHU8T83yMHlw+plBJzxJNucECTB/0QHnknlePx5NNkRq/0TiU7GF+J5H1qRJPkK HHDu/
X-Received: by 10.84.236.4 with SMTP id q4mr2550901plk.423.1501779361059; Thu, 03 Aug 2017 09:56:01 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.182.230 with HTTP; Thu, 3 Aug 2017 09:55:30 -0700 (PDT)
In-Reply-To: <C98A6C4C-15CF-4DE2-ABDD-B79A6C895746@ve7jtb.com>
References: <CA+k3eCQjXGrfSzeNHu5VRQS0ZW+muZKMAZPWbBrEoaCuzM49Mw@mail.gmail.com> <F0247BE6-392F-4511-9A2B-D97A0A660DF1@ve7jtb.com> <CA+k3eCSu4Jnnm76HQ69T6fsadOBXfCYvOUG+fg5n5rwDwqg0AQ@mail.gmail.com> <C98A6C4C-15CF-4DE2-ABDD-B79A6C895746@ve7jtb.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Thu, 3 Aug 2017 10:55:30 -0600
Message-ID: <CA+k3eCSDRLGz_A1GSXX6R6CsmTvB8A3+Q7iWQB0Wkpa6XBUWfA@mail.gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="f403045fe2d458f2330555dc413e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/HAkGhmBGPB4gw838AcawBmSozMc>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-closing-redirectors has obsolete header for referer control
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Aug 2017 16:56:04 -0000

No, Chrome only shows the error message deep inside the developer tools
console.

On Thu, Aug 3, 2017 at 10:51 AM, John Bradley <ve7jtb@ve7jtb.com>; wrote:

> No one ever said that browsers are consistent.
>
> I think Chrome has supported a subset of the new header for a while but
> won’t have full support until Chrome 61 gets out of beta.
>
> Is chrome showing a user visible error with the old header?
>
> Easiest thing would be to use the new header and deny access to anyone
> still using IE:)
>
> John B.
>
>
> On Aug 3, 2017, at 12:43 PM, Brian Campbell <bcampbell@pingidentity.com>;
> wrote:
>
> Really all I know is that recent versions of Chrome complain that referrer
> is an unrecognized Content-Security-Policy directive, which led me to look
> up the changes and content in my original message.
>
> On Thu, Aug 3, 2017 at 9:35 AM, John Bradley <ve7jtb@ve7jtb.com>; wrote:
>
>> Brian
>>
>> To answer my own question to some extent, this page has support status
>> for the browsers:
>> http://caniuse.com/#feat=referrer-policy
>>
>> It looks like only FireFox supports strict-origin.
>>
>> Most of them support origin.
>>
>> Some like IE, Opera Mini and older versions of Android (4) don’t support
>> Referrer-Policy at all.
>>
>> So I think
>> Referrer-Policy: origin
>>
>> With a note that you still need to use  Content-Security-Policy: for IE
>> and Android (4).  There may be some other OEM provided browsers on Android
>> from Samsung and others that may not have support but they are a small
>> number in general.
>>
>> John B.
>>
>>
>> On Aug 2, 2017, at 6:46 PM, Brian Campbell <bcampbell@pingidentity.com>;
>> wrote:
>>
>> Not sure of the status at this point (it is expired) but the
>> draft-ietf-oauth-closing-redirectors WG document in
>> https://tools.ietf.org/html/draft-ietf-oauth-closing-redirec
>> tors-00#section-2.3 suggests using the Content Security Policy header to
>> limit the information sent in the referer something like this:
>>
>>   Content-Security-Policy: referrer origin;
>>
>> Consistent with the latest draft of https://w3c.github.io/webappse
>> c-referrer-policy/ and according to Mozilla (see
>> https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Co
>> ntent-Security-Policy/referrer) the Content-Security-Policy (CSP)
>> referrer directive is obsolete and deprecated. And it looks like
>> Referrer-Policy should be used instead for that purpose (again see Mozilla:
>> https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy).
>> So the draft-ietf-oauth-closing-redirectors document should probably
>> suggest the Referrer-Policy something more like this:
>>
>>    Referrer-Policy: strict-origin
>>
>>
>>
>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>> privileged material for the sole use of the intended recipient(s). Any
>> review, use, distribution or disclosure by others is strictly prohibited.
>> If you have received this communication in error, please notify the sender
>> immediately by e-mail and delete the message and any file attachments from
>> your computer. Thank you.*_______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*
>
>
>

-- 
*CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you.*