Re: [OAUTH-WG] draft-ietf-oauth-closing-redirectors has obsolete header for referer control

John Bradley <ve7jtb@ve7jtb.com> Thu, 03 August 2017 15:21 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9DBA3132116 for <oauth@ietfa.amsl.com>; Thu, 3 Aug 2017 08:21:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Iz9o3V-DLhI for <oauth@ietfa.amsl.com>; Thu, 3 Aug 2017 08:21:26 -0700 (PDT)
Received: from mail-lf0-x22c.google.com (mail-lf0-x22c.google.com [IPv6:2a00:1450:4010:c07::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD0411274A5 for <oauth@ietf.org>; Thu, 3 Aug 2017 08:21:25 -0700 (PDT)
Received: by mail-lf0-x22c.google.com with SMTP id t128so7538615lff.2 for <oauth@ietf.org>; Thu, 03 Aug 2017 08:21:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=zC43HeukJWJAiYrdceuQ+dIwmZO5qaNd3B4HIdxB7jw=; b=Uj2rzPjedW0Ct9BNlOUOrbgpXTrDtJbELnUB0VB+zGZRtwtOIyu9U6RSi99wGqXEfo pSRHKLaO5rAg9sh8pKxxDW9DSXFcj209pLypfqNsgNRXU7xcZpFUax1V4ehYHlGWOQr5 uKmfolPPiWpXHuZzQOq10ipI555yJVzqNdeaBHpH4zLILtLr1GYIgTbKt0H9IPFE5oKl /L8FTXSX67SaQg0jwtKhlFVxhzFk+maXwsjqb3UHWCa1CDZrIEvBUm56vR4aXUNyNfP/ wakCn0yfG3qUejWZDaGxEyy/V2SG19Z9FsGqhqMSt6pn+ZTVaeCHtkE0DHUHac8LCN/r 078A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=zC43HeukJWJAiYrdceuQ+dIwmZO5qaNd3B4HIdxB7jw=; b=LVP9W1Ei3+q8jmz83QKK11xMorAAhnPaZ4Kc8r3pR7J7vR1EQDAzwU4NNvPM0+tO69 g+RTkLundjMdS2qe7HE/SZfiW+RHarOjMhybo/vVYtOpZ20wN4uNjX3YqgTLrEcc4kLE rsG900McYGF1rp4/+iuMzQ6w8W5NSbEaNzA1yBkRkKth79mgvJZfTP1hoJ6IIyQjuRc3 WgQOieG8C8Mp05GWRDvIFT/DNJJ+BiQdG2kwVY79do9+s/4lORPZcyXNTIYSrAgxsYaZ WAogrAogpVegzFjkYKmwE7CpWK0pv5hEQ+fdMw/GE0F7zDipxuaa0IT56PMYAV17xsqt 7Lyw==
X-Gm-Message-State: AHYfb5jSR6pJB4o5RvfrxYfFomv1DdbqsnqdXviG083DeZ7qRXYzcJul a0a8NUKhXPXEQ1iC
X-Received: by 10.25.199.77 with SMTP id x74mr781505lff.196.1501773683663; Thu, 03 Aug 2017 08:21:23 -0700 (PDT)
Received: from [192.168.86.103] ([191.115.81.54]) by smtp.gmail.com with ESMTPSA id s68sm3268839lfg.46.2017.08.03.08.21.21 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 03 Aug 2017 08:21:23 -0700 (PDT)
From: John Bradley <ve7jtb@ve7jtb.com>
Message-Id: <EE5F4186-25BA-4837-BFF9-7AAE34136238@ve7jtb.com>
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Thu, 3 Aug 2017 11:21:14 -0400
In-Reply-To: <CA+k3eCQjXGrfSzeNHu5VRQS0ZW+muZKMAZPWbBrEoaCuzM49Mw@mail.gmail.com>
Cc: oauth <oauth@ietf.org>
To: Brian Campbell <bcampbell@pingidentity.com>
References: <CA+k3eCQjXGrfSzeNHu5VRQS0ZW+muZKMAZPWbBrEoaCuzM49Mw@mail.gmail.com>
X-Mailer: Apple Mail (2.3273)
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="94eb2c1a1b98f9f5120555daee53"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/xfpzzNP_XWjcieuxBUuQp6jMr14>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-closing-redirectors has obsolete header for referer control
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Aug 2017 15:21:29 -0000

Before I make a change.

Do we know if some browsers don’t support Referrer-Policy and may still need Content-Security-Policy.

We could recommend sending both or provide some hint about browser strings to look for.

John B.

> On Aug 2, 2017, at 6:46 PM, Brian Campbell <bcampbell@pingidentity.com>; wrote:
> 
> Not sure of the status at this point (it is expired) but the draft-ietf-oauth-closing-redirectors WG document in https://tools.ietf.org/html/draft-ietf-oauth-closing-redirectors-00#section-2.3 <https://tools.ietf.org/html/draft-ietf-oauth-closing-redirectors-00#section-2.3> suggests using the Content Security Policy header to limit the information sent in the referer something like this: 
> 
>   Content-Security-Policy: referrer origin;
> 
> Consistent with the latest draft of https://w3c.github.io/webappsec-referrer-policy/ <https://w3c.github.io/webappsec-referrer-policy/> and according to Mozilla (see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/referrer <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/referrer>) the Content-Security-Policy (CSP) referrer directive is obsolete and deprecated. And it looks like Referrer-Policy should be used instead for that purpose (again see Mozilla: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy>). So the draft-ietf-oauth-closing-redirectors document should probably suggest the Referrer-Policy something more like this:
> 
>    Referrer-Policy: strict-origin 
> 
> 
> 
> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth