Re: [OAUTH-WG] draft-ietf-oauth-closing-redirectors has obsolete header for referer control

John Bradley <ve7jtb@ve7jtb.com> Mon, 07 August 2017 16:40 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B9C0132631 for <oauth@ietfa.amsl.com>; Mon, 7 Aug 2017 09:40:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CE0mQyg4tfRK for <oauth@ietfa.amsl.com>; Mon, 7 Aug 2017 09:39:57 -0700 (PDT)
Received: from mail-qt0-x22f.google.com (mail-qt0-x22f.google.com [IPv6:2607:f8b0:400d:c0d::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 699EF13262F for <oauth@ietf.org>; Mon, 7 Aug 2017 09:39:57 -0700 (PDT)
Received: by mail-qt0-x22f.google.com with SMTP id p3so5841254qtg.2 for <oauth@ietf.org>; Mon, 07 Aug 2017 09:39:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=KDJMX1vUPC3PuE1Wk8E+g4T9FtlKXzHOzRBCpchXVL8=; b=o1qYHB82PQmMxlhdhYxbXs7OdR/5Lx9j4y9vdiDTYM4uFrwBmrmjxAacvbaMNcH5cb 7scvXykgKT/4yvmzS6TsRbBaTXhAZgmUBvZktRldfUusfGhwnp5LoChVXn8Dilw41oi6 plKXrNRrt+6FR8NH0XRaLlSxk+lMxZgiu4NTr34l9O9g+YR25mLRr3VcACyQmqnFXJ2i nEBxWND6QC1Z/TiN2WhuDq7xBscC2KarWrIjEGq4dKmTiJICj2XScP+A0vIJMNYv9a5i u39x3MNnELq57HxdhkvCsdcWPYfAlf44/PpG7vWV8doG2PXETzv4e0YEQNq4uhFHBCrQ YfVg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=KDJMX1vUPC3PuE1Wk8E+g4T9FtlKXzHOzRBCpchXVL8=; b=L0dLzPS6zoPgJfPTa2RVHBiKENR8/TiLkzFskmxpUyox1ifcfFWFMF9pXO0ABEHtKd ny/AKq8k+4WNoaXSxB/xMktQv0JqQUt128T23+APsaMH04WHSiPAujWK+vuHFciyg3dg dk6Oscs4y7Weu6LjTkw3pMe6fpbq8Q+4OSDG1yNbrLEehU/w7Q6o1s8XxdynA0wyaDet enode8FaKm0fqxbtbnGW72IkuvamoXXwYauQVwFh0ob2ds/ZW1do40tfg8DPIMPL0RAh yXJKvfSE8Dd6cHgWa1Dw/Cp7MohCwu79VRPjeVwNnk0vGN28VnzubOQFalEePnkPlYG1 Ua+A==
X-Gm-Message-State: AHYfb5jKJtT/tT3r5SUNOm+8Hhu/1CsS1CDSpy9TY3za1JiVFpHHGDSe dFoLAZv2ZIdUk4kZmWet5w==
X-Received: by 10.200.38.155 with SMTP id 27mr1748817qto.228.1502123996319; Mon, 07 Aug 2017 09:39:56 -0700 (PDT)
Received: from johns-mbp.lan ([191.115.204.25]) by smtp.gmail.com with ESMTPSA id q15sm5512640qkl.26.2017.08.07.09.39.54 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 07 Aug 2017 09:39:55 -0700 (PDT)
From: John Bradley <ve7jtb@ve7jtb.com>
Message-Id: <CA448772-2DA3-422B-90C4-C0425A997A9A@ve7jtb.com>
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Mon, 7 Aug 2017 12:39:50 -0400
In-Reply-To: <CA+k3eCQjXGrfSzeNHu5VRQS0ZW+muZKMAZPWbBrEoaCuzM49Mw@mail.gmail.com>
Cc: oauth <oauth@ietf.org>
To: Brian Campbell <bcampbell@pingidentity.com>
References: <CA+k3eCQjXGrfSzeNHu5VRQS0ZW+muZKMAZPWbBrEoaCuzM49Mw@mail.gmail.com>
X-Mailer: Apple Mail (2.3273)
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="001a11404c843b3f2d05562c7f76"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Nr4GCqON_Eh1dPJkFmvaXeqt5pU>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-closing-redirectors has obsolete header for referer control
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Aug 2017 16:40:00 -0000

This is being rolled in to the broader security documents Torsten and others have been working on.

It wouldn’t hurt to update this draft to have the correct referrer policy. Even if it is not progressing, people will still look at it.

I will refresh the draft with the change.

Thanks,

John B.

> On Aug 2, 2017, at 6:46 PM, Brian Campbell <bcampbell@pingidentity.com>; wrote:
> 
> Not sure of the status at this point (it is expired) but the draft-ietf-oauth-closing-redirectors WG document in https://tools.ietf.org/html/draft-ietf-oauth-closing-redirectors-00#section-2.3 <https://tools.ietf.org/html/draft-ietf-oauth-closing-redirectors-00#section-2.3> suggests using the Content Security Policy header to limit the information sent in the referer something like this: 
> 
>   Content-Security-Policy: referrer origin;
> 
> Consistent with the latest draft of https://w3c.github.io/webappsec-referrer-policy/ <https://w3c.github.io/webappsec-referrer-policy/> and according to Mozilla (see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/referrer <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/referrer>) the Content-Security-Policy (CSP) referrer directive is obsolete and deprecated. And it looks like Referrer-Policy should be used instead for that purpose (again see Mozilla: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy>). So the draft-ietf-oauth-closing-redirectors document should probably suggest the Referrer-Policy something more like this:
> 
>    Referrer-Policy: strict-origin 
> 
> 
> 
> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth