Re: [OAUTH-WG] draft-ietf-oauth-closing-redirectors has obsolete header for referer control

John Bradley <ve7jtb@ve7jtb.com> Thu, 03 August 2017 16:51 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C512B132003 for <oauth@ietfa.amsl.com>; Thu, 3 Aug 2017 09:51:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S05tuzpNb9ci for <oauth@ietfa.amsl.com>; Thu, 3 Aug 2017 09:51:34 -0700 (PDT)
Received: from mail-lf0-x230.google.com (mail-lf0-x230.google.com [IPv6:2a00:1450:4010:c07::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 277F51318A8 for <oauth@ietf.org>; Thu, 3 Aug 2017 09:51:34 -0700 (PDT)
Received: by mail-lf0-x230.google.com with SMTP id m86so8553055lfi.4 for <oauth@ietf.org>; Thu, 03 Aug 2017 09:51:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=ccjks4ND5Cdqo8735ZurXRUsO6eJo2oT5VIcqwnQm3Q=; b=YlgBdL7h3kXC2U2PHpVFVK+pSDMY/bDSBivHp8ypPjET0wPrkqY402sdZ9dSWg89+R 05Uv5zdk8UEiXzKkS4E1DEndGQQazoPUPzYbMJgCmsjavpeUQVHAUUPwinITlPkQJRps 8NyJKCPxVikM55cj3gxqT6LIamSH66APRUaZBSiU5cCcWU9w3WUGg0Dh2BVkIrRkAFcM OmeoLShmV0IOahH06DI8/5bCy3Qlh4CG08WiZkxo3w/85Ozp/jtpy1RoSb1tC3FrmXPU 4hTob5i7WRb/9QZ1iHaJDYiQaOHVDkloIM7qmV477JiyE9e6fttyEs/uijbU1cc3H530 tZvQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=ccjks4ND5Cdqo8735ZurXRUsO6eJo2oT5VIcqwnQm3Q=; b=nBDS6VNVkQB5h1BnW6X1ECdAPiTvKGO5VlypHJBq48GCBGWt5MS2cg0sZ85pSYuaul v5EXXS0Do8FDIID7UHb/rZRy019VXUdT393Sh0rCwSuHcPOBlQUPUCIQkS3gfvVWzqaf dlwR7fABy+a3je7nSjvLPoy8SGRkgDrgHgq4NF/4n/WQCq2WrVQA1RWpFKiC15S7V5CK H9DvO0tehSC2O9LVqqTZsSxe1huQ5Ybx5LmGeEdR21dZhUfgElvD0R4LaG7MvmUW5nkz XMGjXKgpwHh0i4O1tgV14hFpqKKzxuNN1iQRSTfyE8ocnqK9rvmV5bEyuTFDBjAOz+CL o8oA==
X-Gm-Message-State: AHYfb5hNCTON01d4W1oABxiB1GF/UPFFqLjmtyzeh9KbbXKEGDkXbCxb ZhY4plKDsZtCw4l7ecHl4Q==
X-Received: by 10.25.27.20 with SMTP id b20mr808299lfb.131.1501779092117; Thu, 03 Aug 2017 09:51:32 -0700 (PDT)
Received: from [192.168.86.103] ([191.115.81.54]) by smtp.gmail.com with ESMTPSA id e7sm474218ljb.84.2017.08.03.09.51.29 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 03 Aug 2017 09:51:31 -0700 (PDT)
From: John Bradley <ve7jtb@ve7jtb.com>
Message-Id: <C98A6C4C-15CF-4DE2-ABDD-B79A6C895746@ve7jtb.com>
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Thu, 3 Aug 2017 12:51:25 -0400
In-Reply-To: <CA+k3eCSu4Jnnm76HQ69T6fsadOBXfCYvOUG+fg5n5rwDwqg0AQ@mail.gmail.com>
Cc: oauth <oauth@ietf.org>
To: Brian Campbell <bcampbell@pingidentity.com>
References: <CA+k3eCQjXGrfSzeNHu5VRQS0ZW+muZKMAZPWbBrEoaCuzM49Mw@mail.gmail.com> <F0247BE6-392F-4511-9A2B-D97A0A660DF1@ve7jtb.com> <CA+k3eCSu4Jnnm76HQ69T6fsadOBXfCYvOUG+fg5n5rwDwqg0AQ@mail.gmail.com>
X-Mailer: Apple Mail (2.3273)
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="001a11401d6e56ed1d0555dc31a2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/n-5rei5yWu0Oiro2bn_kbXXdBZ4>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-closing-redirectors has obsolete header for referer control
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Aug 2017 16:51:38 -0000

No one ever said that browsers are consistent.

I think Chrome has supported a subset of the new header for a while but won’t have full support until Chrome 61 gets out of beta.

Is chrome showing a user visible error with the old header?

Easiest thing would be to use the new header and deny access to anyone still using IE:)

John B.


> On Aug 3, 2017, at 12:43 PM, Brian Campbell <bcampbell@pingidentity.com>; wrote:
> 
> Really all I know is that recent versions of Chrome complain that referrer is an unrecognized Content-Security-Policy directive, which led me to look up the changes and content in my original message.  
> 
> On Thu, Aug 3, 2017 at 9:35 AM, John Bradley <ve7jtb@ve7jtb.com <mailto:ve7jtb@ve7jtb.com>> wrote:
> Brian 
> 
> To answer my own question to some extent, this page has support status for the browsers:
> http://caniuse.com/#feat=referrer-policy <http://caniuse.com/#feat=referrer-policy>
> 
> It looks like only FireFox supports strict-origin.
> 
> Most of them support origin.
> 
> Some like IE, Opera Mini and older versions of Android (4) don’t support Referrer-Policy at all.
> 
> So I think 
> Referrer-Policy: origin
> 
> With a note that you still need to use  Content-Security-Policy: for IE and Android (4).  There may be some other OEM provided browsers on Android from Samsung and others that may not have support but they are a small number in general.
> 
> John B.
> 
> 
>> On Aug 2, 2017, at 6:46 PM, Brian Campbell <bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com>> wrote:
>> 
>> Not sure of the status at this point (it is expired) but the draft-ietf-oauth-closing-redirectors WG document in https://tools.ietf.org/html/draft-ietf-oauth-closing-redirectors-00#section-2.3 <https://tools.ietf.org/html/draft-ietf-oauth-closing-redirectors-00#section-2.3> suggests using the Content Security Policy header to limit the information sent in the referer something like this: 
>> 
>>   Content-Security-Policy: referrer origin;
>> 
>> Consistent with the latest draft of https://w3c.github.io/webappsec-referrer-policy/ <https://w3c.github.io/webappsec-referrer-policy/> and according to Mozilla (see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/referrer <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/referrer>) the Content-Security-Policy (CSP) referrer directive is obsolete and deprecated. And it looks like Referrer-Policy should be used instead for  that purpose (again see Mozilla: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy>). So the draft-ietf-oauth-closing-redirectors document should probably suggest the Referrer-Policy something more like this:
>> 
>>    Referrer-Policy: strict-origin 
>> 
>> 
>> 
>> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
> 
> 
> 
> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.