Re: [OAUTH-WG] draft-ietf-oauth-closing-redirectors has obsolete header for referer control

John Bradley <> Thu, 03 August 2017 15:35 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 16444132477 for <>; Thu, 3 Aug 2017 08:35:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id hq65Rqb0oXnz for <>; Thu, 3 Aug 2017 08:35:32 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4010:c07::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id F40C413246D for <>; Thu, 3 Aug 2017 08:35:31 -0700 (PDT)
Received: by with SMTP id o85so7683215lff.3 for <>; Thu, 03 Aug 2017 08:35:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=eqTmQd1rj7mbXL3OU/27WNKS9UVuLmxNYv6VGgevMlk=; b=SmeJdcrrHFnOZqS5IgIt0ZIl7ll7dJcfM1sTnbcwBp+EfMNXQGSh5Mcwn2DUYt1Xnn L1F2kwIzuj/uPedMpssuxWbc7nerFfBup2px0FtqmikZ/9WJAO0vi2F8WIhw/w0peO1q kBCTONSs0foaLUCXFMD8ZKItxdV1V2rUImpRaNmF/RSruaHBICUK2nQEgBWy3mCt7XWF 7AbWuk8hplL8JrJfpWuwkd8V/6dlZqBY0gCjsWO+B8Ryk3AVue4hhy4480cY4Q6bJLDH c/br1uaqjWmIyQl+/K/km/QHoYXEbIZE96v199eRZONwpELvnmXEZY7J4WT/1HuswOTX iFSQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=eqTmQd1rj7mbXL3OU/27WNKS9UVuLmxNYv6VGgevMlk=; b=Iq8hZtDITWJ7A++vlHzHIuz9lEH5DZPNEFCwQsEyLJLS/Ap8b9CcQZbTj+KVZ0gMmZ evpIFN2KUKv/IHAvBuzNRxQ8mDBzHJnS9VGWgjaDF6Xlmbl4onvK4671spP989OWfdom /XkB9ywqmo43Exs4vkVMZ5P4OsDVtmX7a1JqWCPRxtv2bmhjStnzUXcrveHFHrVWjsLV 7HmdZQeuYnGcakXQ8qAnAf8xGMyRAc1ueJYnTuj/5vehLGJOWlWRiY9b90CtLHoHdczA uD1Z2qidsZDuPiKO7R2VCcYgT+w3hMQbJIegDZfIK4BctCktVKy3qVES2FX+KRJO+KwJ /awQ==
X-Gm-Message-State: AHYfb5hinXoAUrAX1ywE36URRo2rBpRFAnI9dKk6QDum1d+dDi34X8bX E/XP283MIsYJSr9i
X-Received: by with SMTP id p6mr786399lfj.139.1501774530002; Thu, 03 Aug 2017 08:35:30 -0700 (PDT)
Received: from [] ([]) by with ESMTPSA id j71sm1230094lfk.32.2017. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 03 Aug 2017 08:35:29 -0700 (PDT)
From: John Bradley <>
Message-Id: <>
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Thu, 3 Aug 2017 11:35:19 -0400
In-Reply-To: <>
Cc: oauth <>
To: Brian Campbell <>
References: <>
X-Mailer: Apple Mail (2.3273)
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="f403045e26406b45240555db21d5"
Archived-At: <>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-closing-redirectors has obsolete header for referer control
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 03 Aug 2017 15:35:35 -0000


To answer my own question to some extent, this page has support status for the browsers:

It looks like only FireFox supports strict-origin.

Most of them support origin.

Some like IE, Opera Mini and older versions of Android (4) don’t support Referrer-Policy at all.

So I think 
Referrer-Policy: origin

With a note that you still need to use  Content-Security-Policy: for IE and Android (4).  There may be some other OEM provided browsers on Android from Samsung and others that may not have support but they are a small number in general.

John B.

> On Aug 2, 2017, at 6:46 PM, Brian Campbell <> wrote:
> Not sure of the status at this point (it is expired) but the draft-ietf-oauth-closing-redirectors WG document in <> suggests using the Content Security Policy header to limit the information sent in the referer something like this: 
>   Content-Security-Policy: referrer origin;
> Consistent with the latest draft of <> and according to Mozilla (see <>) the Content-Security-Policy (CSP) referrer directive is obsolete and deprecated. And it looks like Referrer-Policy should be used instead for that purpose (again see Mozilla: <>). So the draft-ietf-oauth-closing-redirectors document should probably suggest the Referrer-Policy something more like this:
>    Referrer-Policy: strict-origin 
> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._______________________________________________
> OAuth mailing list