Re: [OAUTH-WG] draft-ietf-oauth-closing-redirectors has obsolete header for referer control

Mon, 07 Aug 2017 09:40:22 -0700 

This is being rolled in to the broader security documents Torsten and others 
have been working on.

It wouldn’t hurt to update this draft to have the correct referrer policy. Even 
if it is not progressing, people will still look at it.

I will refresh the draft with the change.

Thanks,

John B.

> On Aug 2, 2017, at 6:46 PM, Brian Campbell <bcampb...@pingidentity.com> wrote:
> 
> Not sure of the status at this point (it is expired) but the 
> draft-ietf-oauth-closing-redirectors WG document in 
> https://tools.ietf.org/html/draft-ietf-oauth-closing-redirectors-00#section-2.3
>  
> <https://tools.ietf.org/html/draft-ietf-oauth-closing-redirectors-00#section-2.3>
>  suggests using the Content Security Policy header to limit the information 
> sent in the referer something like this: 
> 
>   Content-Security-Policy: referrer origin;
> 
> Consistent with the latest draft of 
> https://w3c.github.io/webappsec-referrer-policy/ 
> <https://w3c.github.io/webappsec-referrer-policy/> and according to Mozilla 
> (see 
> https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/referrer
>  
> <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/referrer>)
>  the Content-Security-Policy (CSP) referrer directive is obsolete and 
> deprecated. And it looks like Referrer-Policy should be used instead for that 
> purpose (again see Mozilla: 
> https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy 
> <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy>). 
> So the draft-ietf-oauth-closing-redirectors document should probably suggest 
> the Referrer-Policy something more like this:
> 
>    Referrer-Policy: strict-origin 
> 
> 
> 
> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
> material for the sole use of the intended recipient(s). Any review, use, 
> distribution or disclosure by others is strictly prohibited.  If you have 
> received this communication in error, please notify the sender immediately by 
> e-mail and delete the message and any file attachments from your computer. 
> Thank you._______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to