Brian To answer my own question to some extent, this page has support status for the browsers: http://caniuse.com/#feat=referrer-policy
It looks like only FireFox supports strict-origin. Most of them support origin. Some like IE, Opera Mini and older versions of Android (4) don’t support Referrer-Policy at all. So I think Referrer-Policy: origin With a note that you still need to use Content-Security-Policy: for IE and Android (4). There may be some other OEM provided browsers on Android from Samsung and others that may not have support but they are a small number in general. John B. > On Aug 2, 2017, at 6:46 PM, Brian Campbell <bcampb...@pingidentity.com> wrote: > > Not sure of the status at this point (it is expired) but the > draft-ietf-oauth-closing-redirectors WG document in > https://tools.ietf.org/html/draft-ietf-oauth-closing-redirectors-00#section-2.3 > > <https://tools.ietf.org/html/draft-ietf-oauth-closing-redirectors-00#section-2.3> > suggests using the Content Security Policy header to limit the information > sent in the referer something like this: > > Content-Security-Policy: referrer origin; > > Consistent with the latest draft of > https://w3c.github.io/webappsec-referrer-policy/ > <https://w3c.github.io/webappsec-referrer-policy/> and according to Mozilla > (see > https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/referrer > > <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/referrer>) > the Content-Security-Policy (CSP) referrer directive is obsolete and > deprecated. And it looks like Referrer-Policy should be used instead for that > purpose (again see Mozilla: > https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy > <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy>). > So the draft-ietf-oauth-closing-redirectors document should probably suggest > the Referrer-Policy something more like this: > > Referrer-Policy: strict-origin > > > > CONFIDENTIALITY NOTICE: This email may contain confidential and privileged > material for the sole use of the intended recipient(s). Any review, use, > distribution or disclosure by others is strictly prohibited. If you have > received this communication in error, please notify the sender immediately by > e-mail and delete the message and any file attachments from your computer. > Thank you._______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
