Re: [OAUTH-WG] draft-ietf-oauth-closing-redirectors has obsolete header for referer control

Thu, 03 Aug 2017 08:21:41 -0700 

Before I make a change.

Do we know if some browsers don’t support Referrer-Policy and may still need 
Content-Security-Policy.

We could recommend sending both or provide some hint about browser strings to 
look for.

John B.

> On Aug 2, 2017, at 6:46 PM, Brian Campbell <bcampb...@pingidentity.com> wrote:
> 
> Not sure of the status at this point (it is expired) but the 
> draft-ietf-oauth-closing-redirectors WG document in 
> https://tools.ietf.org/html/draft-ietf-oauth-closing-redirectors-00#section-2.3
>  
> <https://tools.ietf.org/html/draft-ietf-oauth-closing-redirectors-00#section-2.3>
>  suggests using the Content Security Policy header to limit the information 
> sent in the referer something like this: 
> 
>   Content-Security-Policy: referrer origin;
> 
> Consistent with the latest draft of 
> https://w3c.github.io/webappsec-referrer-policy/ 
> <https://w3c.github.io/webappsec-referrer-policy/> and according to Mozilla 
> (see 
> https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/referrer
>  
> <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/referrer>)
>  the Content-Security-Policy (CSP) referrer directive is obsolete and 
> deprecated. And it looks like Referrer-Policy should be used instead for that 
> purpose (again see Mozilla: 
> https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy 
> <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy>). 
> So the draft-ietf-oauth-closing-redirectors document should probably suggest 
> the Referrer-Policy something more like this:
> 
>    Referrer-Policy: strict-origin 
> 
> 
> 
> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
> material for the sole use of the intended recipient(s). Any review, use, 
> distribution or disclosure by others is strictly prohibited.  If you have 
> received this communication in error, please notify the sender immediately by 
> e-mail and delete the message and any file attachments from your computer. 
> Thank you._______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to