Not sure of the status at this point (it is expired) but the draft-ietf-oauth-closing-redirectors WG document in https://tools.ietf.org/html/draft-ietf-oauth-closing-redirectors-00#section-2.3 suggests using the Content Security Policy header to limit the information sent in the referer something like this:
Content-Security-Policy: referrer origin; Consistent with the latest draft of https://w3c.github.io/ webappsec-referrer-policy/ and according to Mozilla (see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/ Content-Security-Policy/referrer) the Content-Security-Policy (CSP) referrer directive is obsolete and deprecated. And it looks like Referrer-Policy should be used instead for that purpose (again see Mozilla: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy). So the draft-ietf-oauth-closing-redirectors document should probably suggest the Referrer-Policy something more like this: Referrer-Policy: strict-origin -- *CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.*
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
