[OAUTH-WG] draft-ietf-oauth-closing-redirectors has obsolete header for referer control

Brian Campbell <bcampbell@pingidentity.com> Wed, 02 August 2017 22:47 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBD69129AC4 for <oauth@ietfa.amsl.com>; Wed, 2 Aug 2017 15:47:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rjx5UFHw-GlJ for <oauth@ietfa.amsl.com>; Wed, 2 Aug 2017 15:47:12 -0700 (PDT)
Received: from mail-pg0-x231.google.com (mail-pg0-x231.google.com [IPv6:2607:f8b0:400e:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91C9A127735 for <oauth@ietf.org>; Wed, 2 Aug 2017 15:47:12 -0700 (PDT)
Received: by mail-pg0-x231.google.com with SMTP id c14so26783187pgn.0 for <oauth@ietf.org>; Wed, 02 Aug 2017 15:47:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:from:date:message-id:subject:to; bh=Iku15DIsGuyWoulywbN+QNAO6vSAN33rjinkLJh/pgw=; b=EsWv10YusKqXQK1Z6GXVddulcEc5cgDg8QrktltqE2ioPs9gVEDk89NQARnB7kRphS wloLLMs7Tq1FVG3efiWw0aBFo+KuwYCCUNiBeIfGuUhljm465GdkxPnDBWb8GxmPXobP jExbaWdhNyK5DwS76qQqcq8qpptFYnGqrEL/M=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=Iku15DIsGuyWoulywbN+QNAO6vSAN33rjinkLJh/pgw=; b=V1RbCaYMapoSzHy9WYoIN5/TSXZN5X0nV0DDlBklpdvjS8arT+iAWFvnYaANyJKXF6 h+HNsk14KBiRZcuBiLHsEVk7kc22jqWfdTktk4MKC0kv7P8m56hZ1qDpnj+ks5malqP/ vKGU/fyC6Q1pfAp3w4VSutJM8qPnDyZ+9u48ACmU1Qjt9x2w6mNNX7lOtCVwkde9+zDu NQRbAJbsMZxIUUeSBZkpEwHfVNtmyChVHpsqVK38VIP2wwxJB7UXbsd3d9cmNhxFsRWG 3Do0yAzDrNbjLMqAFHj90nSyBfsY2DOWh96DQbkKpZJ8WYes4CpvIuMc4x5XLs7aThAX Nc6Q==
X-Gm-Message-State: AIVw113puI4Va8pVPQeHgGBDKpGvurOUMB6YHt3tcLEiToZTdHGGtgpH z47f6YbyPpKXOnVqHSDe2FxhA2tkq64+Cp6A0rDARVs5cM6u8ZUxrbYN1FhvE/U/aMveUZnWrfw FP1fuzh0=
X-Received: by 10.99.103.129 with SMTP id b123mr19927136pgc.14.1501714031770; Wed, 02 Aug 2017 15:47:11 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.182.230 with HTTP; Wed, 2 Aug 2017 15:46:41 -0700 (PDT)
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 2 Aug 2017 16:46:41 -0600
Message-ID: <CA+k3eCQjXGrfSzeNHu5VRQS0ZW+muZKMAZPWbBrEoaCuzM49Mw@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c0568ce6b22a50555cd0b61"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Z6d-UwA4LnLvSkfrhRDGqCtUXOU>
Subject: [OAUTH-WG] draft-ietf-oauth-closing-redirectors has obsolete header for referer control
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Aug 2017 22:47:14 -0000

Not sure of the status at this point (it is expired) but the
draft-ietf-oauth-closing-redirectors WG document in
https://tools.ietf.org/html/draft-ietf-oauth-closing-redirectors-00#section-2.3
suggests using the Content Security Policy header to limit the information
sent in the referer something like this:

  Content-Security-Policy: referrer origin;

Consistent with the latest draft of https://w3c.github.io/
webappsec-referrer-policy/ and according to Mozilla (see
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/
Content-Security-Policy/referrer) the Content-Security-Policy (CSP)
referrer directive is obsolete and deprecated. And it looks like
Referrer-Policy should be used instead for that purpose (again see Mozilla:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy).
So the draft-ietf-oauth-closing-redirectors document should probably
suggest the Referrer-Policy something more like this:

   Referrer-Policy: strict-origin

-- 
*CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you.*