IETF Logo Mail Archive

Re: [tram] Path Forward for STUN ORIGIN

Martin Thomson <martin.thomson@gmail.com> Wed, 26 August 2015 22:50 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A91D1B3524 for <tram@ietfa.amsl.com>; Wed, 26 Aug 2015 15:50:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_CHICKENPOX_56=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WVdlq4X7WO4N for <tram@ietfa.amsl.com>; Wed, 26 Aug 2015 15:50:43 -0700 (PDT)
Received: from mail-yk0-x234.google.com (mail-yk0-x234.google.com [IPv6:2607:f8b0:4002:c07::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD7991B3525 for <tram@ietf.org>; Wed, 26 Aug 2015 15:50:41 -0700 (PDT)
Received: by ykll84 with SMTP id l84so2278961ykl.0 for <tram@ietf.org>; Wed, 26 Aug 2015 15:50:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=8/QhgDce+Tcg9cQwa2P3wOc8bQsd7OFxwtK5XoXd9qg=; b=n4A4AW+pVoCwJcfO2Dmb9YGDnEnt6IPXRvViToEPRzxeO5CqtMB6lBi79JFufdwa7s m7mXsTowhj8QBha1CUPLcveQVE5tXXC53od/supl7RscAqq17qOzBO/IKyAMmwdp5IwV x/ZY1pPr7NmPFE0TlIEEk1yfMNXY1qPLvcyT+MeN/OY8kjmz1h/0umzvXOOkaWHKMV/p b28mSuXEPBy2PFSEv4f+55W2S4yY8VMPCdqoHzDvj4I1ez6ITtoCIFTnzVfXPZYAGtep aP5+T66BpS3yJciVvXM8Uhhtvm0G1XOTyS2PWL/NwCKYxLp2nST9o8AvLz5RERO1CFNu ok3Q==
MIME-Version: 1.0
X-Received: by 10.129.103.5 with SMTP id b5mr881755ywc.55.1440629441082; Wed, 26 Aug 2015 15:50:41 -0700 (PDT)
Received: by 10.129.133.130 with HTTP; Wed, 26 Aug 2015 15:50:41 -0700 (PDT)
In-Reply-To: <CAKhHsXHjR+-y1w7XgnC+zFTHG-HRGRYAdN0g8mFjumGTnO-xSw@mail.gmail.com>
References: <CAKhHsXGwB1vovKQYaGnoZ1MuzREbDA8cTp4sCePNc6=saKN5BA@mail.gmail.com> <CABkgnnVef2voSb1i_uKZPjSimYw7Zxooh5wZh=ZmnuLeFj0Hrw@mail.gmail.com> <CAKhHsXHjR+-y1w7XgnC+zFTHG-HRGRYAdN0g8mFjumGTnO-xSw@mail.gmail.com>
Date: Wed, 26 Aug 2015 15:50:41 -0700
Message-ID: <CABkgnnW_xjbTbVDOYTQwAV3K252f31rQAK9zEzFXZSYyRGQxjA@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: Alan Johnston <alan.b.johnston@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tram/ggM3QllIEIzt94_6kvalCpTOB4A>
Cc: "tram@ietf.org" <tram@ietf.org>, "draft-ietf-tram-stun-origin@tools.ietf.org" <draft-ietf-tram-stun-origin@tools.ietf.org>
Subject: Re: [tram] Path Forward for STUN ORIGIN
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Aug 2015 22:50:44 -0000

On 26 August 2015 at 13:59, Alan Johnston <alan.b.johnston@gmail.com> wrote:
> Hi Martin,
>
> This is a very interesting idea - thanks for raising it.
>
> Looking at the referrer-policy document, the proposal here is essentially a
> default global policy of "origin-only" except not quite as strict.

I was actually going to suggest that no-referrer be the default.  It's
the policy a lot of us wish we had for Referer.  Some of us configure
our browsers to do just that.

> The idea of the STUN or TURN URI suggesting the policy which would be
> enforced by the browser is an interesting one.

I wasn't suggesting that it be baked into the URI, but it is an
option.  Though in the same way that we no longer like to put
usernames and passwords in URIs, I don't think that including this
origin-policy attribute in there.

I was actually thinking that you would have an option on
RTCPeerConnection that set the policy.

> The referrer-policy document doesn't make any judgements on the various
> policy levels it defines. Is the "origin-only" policy considered privacy
> friendly in HTTP, or is it considered harmful?

That very much depends on where you stand.  "origin-only" is not
sufficient for some use cases, but is also too much information for
others.

> Do any browsers provide referrer-policy user interface controls?  If so, I
> wonder what the default setting would be?

Firefox provides control through about:config only, and in the most
obtuse fashion imaginable (you have to know what a value of 3 means).
The default policies vary depending on the different origins involved,
and whether they are secure (i.e.,https://) or not.  The defaults we
*want* are somewhat different to the ones that we *have* though.

> But if the HTTP experience is that the Referrer header field was just that
> it was a bad idea to begin with, then perhaps we should pay attention to
> that...

As I said, it is mixed.  Hence the suggestion to allow a measure of control.

v2.23.0 | Report a Bug | By Email