Yes that policy will be in new browsers but that will not be all browsers for some time (probably not until XP dies)
We are going to have the old browser issue with Token binding as well. At some point AS may need to restrict what older browsers can do as they will have different security profiles from current browsers re TLS, token binding, web crypto, web-push, and header policy. John B. > On Apr 25, 2016, at 6:15 AM, Daniel Fett <f...@uni-trier.de> wrote: > > Am 25.04.2016 um 15:11 schrieb Antonio Sanso: >>>> Checking referrer is a weak protection at best, as that is easily faked in >>>> many circumstances. >>> >>> Note that we do not propose checking the referrer as a mitigation; we >>> propose using the referrer policy (at the client) to suppress the >>> referrer (just as in the open redirector draft where it is used at the >>> AS). So the recommendation here is to use the referrer policy also at >>> the client. >> >> and just as a corollary Internet Explorer doesn’t seem to support the >> referrer policy. Maybe Edge… > > Edge does, yes :) > > (And this is why having the referrer policy in place is just one part of > our mitigation.) > > > -- > Informationssicherheit und Kryptografie > Universität Trier - Tel. 0651 201 2847 - H436 _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
