Hi John Thanks for the response. Yes, there is also the Redirect-Origin header which can provide additional assurance of the source of the redirect. Could be a different proposal -- but I see them both being used only in a redirect. I'm guessing people will be more motivated by the Redirect-Query -- and Redirect-Origin adds value.
On Fri, Dec 12, 2025 at 3:15 PM John Kemp <[email protected]> wrote: > Hi Dick, > > El dic 12, 2025, a las 7:43 a.m., Dick Hardt <[email protected]> > escribió: > > Hey > > Authentication and authorization protocols (OAuth, OpenID Connect, SAML) > use browser redirects to navigate users between applications and > authorization servers. These redirects must carry protocol parameters, > which historically appear in URLs or POSTed forms. > > Problem: URLs leak sensitive data through browser history, Referer > headers, server logs, analytics, and JavaScript access. > > Solution: Redirect Headers move parameters into browser-controlled HTTP > headers that aren't exposed in URLs or the DOM. > > Rollout: Redirect Headers support can be independently adopted by client, > browser, and AS. When all three have adopted, the authorization response, > in particular the `code` parameter, will be passed only in the HTTP header > and will not be visible to the page DOM / JS. > > Here is an explainer: https://github.com/dickhardt/redirect-headers > > I'm posting this to the OAuth WG as this is the area to confirm this > mechanism is of interest. If it is, then I will propose doing the work in > the httpapi WG. > > > I like this idea quite a lot, and support the proposal. In your explainer, > I actually see a bit more than the notion of moving the query parameters > from the query string to headers - a new header Request-Origin, which also > looks interesting, and goes a bit further (I think) than just moving query > parameters into a header. Although related, are these not possibly two > separate proposals? > > Cheers, > > -johnk > > > Sam Goto has expressed interest in adding this functionality to Chrome. > > I expect there will be bike-shedding on the header names and values -- so > that aside, what do people think? > > > > > _______________________________________________ > OAuth mailing list -- [email protected] > To unsubscribe send an email to [email protected] > > >
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
