Re: [OAUTH-WG] draft-ietf-oauth-closing-redirectors has obsolete header for referer control

John Bradley <ve7jtb@ve7jtb.com> Thu, 03 August 2017 15:35 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16444132477 for <oauth@ietfa.amsl.com>; Thu, 3 Aug 2017 08:35:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hq65Rqb0oXnz for <oauth@ietfa.amsl.com>; Thu, 3 Aug 2017 08:35:32 -0700 (PDT)
Received: from mail-lf0-x22a.google.com (mail-lf0-x22a.google.com [IPv6:2a00:1450:4010:c07::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F40C413246D for <oauth@ietf.org>; Thu, 3 Aug 2017 08:35:31 -0700 (PDT)
Received: by mail-lf0-x22a.google.com with SMTP id o85so7683215lff.3 for <oauth@ietf.org>; Thu, 03 Aug 2017 08:35:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=eqTmQd1rj7mbXL3OU/27WNKS9UVuLmxNYv6VGgevMlk=; b=SmeJdcrrHFnOZqS5IgIt0ZIl7ll7dJcfM1sTnbcwBp+EfMNXQGSh5Mcwn2DUYt1Xnn L1F2kwIzuj/uPedMpssuxWbc7nerFfBup2px0FtqmikZ/9WJAO0vi2F8WIhw/w0peO1q kBCTONSs0foaLUCXFMD8ZKItxdV1V2rUImpRaNmF/RSruaHBICUK2nQEgBWy3mCt7XWF 7AbWuk8hplL8JrJfpWuwkd8V/6dlZqBY0gCjsWO+B8Ryk3AVue4hhy4480cY4Q6bJLDH c/br1uaqjWmIyQl+/K/km/QHoYXEbIZE96v199eRZONwpELvnmXEZY7J4WT/1HuswOTX iFSQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=eqTmQd1rj7mbXL3OU/27WNKS9UVuLmxNYv6VGgevMlk=; b=Iq8hZtDITWJ7A++vlHzHIuz9lEH5DZPNEFCwQsEyLJLS/Ap8b9CcQZbTj+KVZ0gMmZ evpIFN2KUKv/IHAvBuzNRxQ8mDBzHJnS9VGWgjaDF6Xlmbl4onvK4671spP989OWfdom /XkB9ywqmo43Exs4vkVMZ5P4OsDVtmX7a1JqWCPRxtv2bmhjStnzUXcrveHFHrVWjsLV 7HmdZQeuYnGcakXQ8qAnAf8xGMyRAc1ueJYnTuj/5vehLGJOWlWRiY9b90CtLHoHdczA uD1Z2qidsZDuPiKO7R2VCcYgT+w3hMQbJIegDZfIK4BctCktVKy3qVES2FX+KRJO+KwJ /awQ==
X-Gm-Message-State: AHYfb5hinXoAUrAX1ywE36URRo2rBpRFAnI9dKk6QDum1d+dDi34X8bX E/XP283MIsYJSr9i
X-Received: by 10.25.93.70 with SMTP id p6mr786399lfj.139.1501774530002; Thu, 03 Aug 2017 08:35:30 -0700 (PDT)
Received: from [192.168.86.103] ([191.115.81.54]) by smtp.gmail.com with ESMTPSA id j71sm1230094lfk.32.2017.08.03.08.35.27 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 03 Aug 2017 08:35:29 -0700 (PDT)
From: John Bradley <ve7jtb@ve7jtb.com>
Message-Id: <F0247BE6-392F-4511-9A2B-D97A0A660DF1@ve7jtb.com>
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Thu, 3 Aug 2017 11:35:19 -0400
In-Reply-To: <CA+k3eCQjXGrfSzeNHu5VRQS0ZW+muZKMAZPWbBrEoaCuzM49Mw@mail.gmail.com>
Cc: oauth <oauth@ietf.org>
To: Brian Campbell <bcampbell@pingidentity.com>
References: <CA+k3eCQjXGrfSzeNHu5VRQS0ZW+muZKMAZPWbBrEoaCuzM49Mw@mail.gmail.com>
X-Mailer: Apple Mail (2.3273)
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="f403045e26406b45240555db21d5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/_RdIQHCYUgeAx4oweW_4wR2SAAw>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-closing-redirectors has obsolete header for referer control
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Aug 2017 15:35:35 -0000

Brian 

To answer my own question to some extent, this page has support status for the browsers:
http://caniuse.com/#feat=referrer-policy

It looks like only FireFox supports strict-origin.

Most of them support origin.

Some like IE, Opera Mini and older versions of Android (4) don’t support Referrer-Policy at all.

So I think 
Referrer-Policy: origin

With a note that you still need to use  Content-Security-Policy: for IE and Android (4).  There may be some other OEM provided browsers on Android from Samsung and others that may not have support but they are a small number in general.

John B.


> On Aug 2, 2017, at 6:46 PM, Brian Campbell <bcampbell@pingidentity.com>; wrote:
> 
> Not sure of the status at this point (it is expired) but the draft-ietf-oauth-closing-redirectors WG document in https://tools.ietf.org/html/draft-ietf-oauth-closing-redirectors-00#section-2.3 <https://tools.ietf.org/html/draft-ietf-oauth-closing-redirectors-00#section-2.3> suggests using the Content Security Policy header to limit the information sent in the referer something like this: 
> 
>   Content-Security-Policy: referrer origin;
> 
> Consistent with the latest draft of https://w3c.github.io/webappsec-referrer-policy/ <https://w3c.github.io/webappsec-referrer-policy/> and according to Mozilla (see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/referrer <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/referrer>) the Content-Security-Policy (CSP) referrer directive is obsolete and deprecated. And it looks like Referrer-Policy should be used instead for that purpose (again see Mozilla: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy>). So the draft-ietf-oauth-closing-redirectors document should probably suggest the Referrer-Policy something more like this:
> 
>    Referrer-Policy: strict-origin 
> 
> 
> 
> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth