Am 25.04.2016 um 15:11 schrieb Antonio Sanso: >>> Checking referrer is a weak protection at best, as that is easily faked in >>> many circumstances. >> >> Note that we do not propose checking the referrer as a mitigation; we >> propose using the referrer policy (at the client) to suppress the >> referrer (just as in the open redirector draft where it is used at the >> AS). So the recommendation here is to use the referrer policy also at >> the client. > > and just as a corollary Internet Explorer doesn’t seem to support the > referrer policy. Maybe Edge…
Edge does, yes :) (And this is why having the referrer policy in place is just one part of our mitigation.) -- Informationssicherheit und Kryptografie Universität Trier - Tel. 0651 201 2847 - H436 _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
