Before I make a change. Do we know if some browsers don’t support Referrer-Policy and may still need Content-Security-Policy.
We could recommend sending both or provide some hint about browser strings to look for. John B. > On Aug 2, 2017, at 6:46 PM, Brian Campbell <bcampb...@pingidentity.com> wrote: > > Not sure of the status at this point (it is expired) but the > draft-ietf-oauth-closing-redirectors WG document in > https://tools.ietf.org/html/draft-ietf-oauth-closing-redirectors-00#section-2.3 > > <https://tools.ietf.org/html/draft-ietf-oauth-closing-redirectors-00#section-2.3> > suggests using the Content Security Policy header to limit the information > sent in the referer something like this: > > Content-Security-Policy: referrer origin; > > Consistent with the latest draft of > https://w3c.github.io/webappsec-referrer-policy/ > <https://w3c.github.io/webappsec-referrer-policy/> and according to Mozilla > (see > https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/referrer > > <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/referrer>) > the Content-Security-Policy (CSP) referrer directive is obsolete and > deprecated. And it looks like Referrer-Policy should be used instead for that > purpose (again see Mozilla: > https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy > <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy>). > So the draft-ietf-oauth-closing-redirectors document should probably suggest > the Referrer-Policy something more like this: > > Referrer-Policy: strict-origin > > > > CONFIDENTIALITY NOTICE: This email may contain confidential and privileged > material for the sole use of the intended recipient(s). Any review, use, > distribution or disclosure by others is strictly prohibited. If you have > received this communication in error, please notify the sender immediately by > e-mail and delete the message and any file attachments from your computer. > Thank you._______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth