Good, so you could send both to be safe without it breaking. John B. > On Aug 3, 2017, at 12:55 PM, Brian Campbell <bcampb...@pingidentity.com> > wrote: > > No, Chrome only shows the error message deep inside the developer tools > console. > > On Thu, Aug 3, 2017 at 10:51 AM, John Bradley <ve7...@ve7jtb.com > <mailto:ve7...@ve7jtb.com>> wrote: > No one ever said that browsers are consistent. > > I think Chrome has supported a subset of the new header for a while but won’t > have full support until Chrome 61 gets out of beta. > > Is chrome showing a user visible error with the old header? > > Easiest thing would be to use the new header and deny access to anyone still > using IE:) > > John B. > > >> On Aug 3, 2017, at 12:43 PM, Brian Campbell <bcampb...@pingidentity.com >> <mailto:bcampb...@pingidentity.com>> wrote: >> >> Really all I know is that recent versions of Chrome complain that referrer >> is an unrecognized Content-Security-Policy directive, which led me to look >> up the changes and content in my original message. >> >> On Thu, Aug 3, 2017 at 9:35 AM, John Bradley <ve7...@ve7jtb.com >> <mailto:ve7...@ve7jtb.com>> wrote: >> Brian >> >> To answer my own question to some extent, this page has support status for >> the browsers: >> http://caniuse.com/#feat=referrer-policy >> <http://caniuse.com/#feat=referrer-policy> >> >> It looks like only FireFox supports strict-origin. >> >> Most of them support origin. >> >> Some like IE, Opera Mini and older versions of Android (4) don’t support >> Referrer-Policy at all. >> >> So I think >> Referrer-Policy: origin >> >> With a note that you still need to use Content-Security-Policy: for IE and >> Android (4). There may be some other OEM provided browsers on Android from >> Samsung and others that may not have support but they are a small number in >> general. >> >> John B. >> >> >>> On Aug 2, 2017, at 6:46 PM, Brian Campbell <bcampb...@pingidentity.com >>> <mailto:bcampb...@pingidentity.com>> wrote: >>> >>> Not sure of the status at this point (it is expired) but the >>> draft-ietf-oauth-closing-redirectors WG document in >>> https://tools.ietf.org/html/draft-ietf-oauth-closing-redirectors-00#section-2.3 >>> >>> <https://tools.ietf.org/html/draft-ietf-oauth-closing-redirectors-00#section-2.3> >>> suggests using the Content Security Policy header to limit the information >>> sent in the referer something like this: >>> >>> Content-Security-Policy: referrer origin; >>> >>> Consistent with the latest draft of >>> https://w3c.github.io/webappsec-referrer-policy/ >>> <https://w3c.github.io/webappsec-referrer-policy/> and according to Mozilla >>> (see >>> https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/referrer >>> >>> <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/referrer>) >>> the Content-Security-Policy (CSP) referrer directive is obsolete and >>> deprecated. And it looks like Referrer-Policy should be used instead for >>> that purpose (again see Mozilla: >>> https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy >>> <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy>). >>> So the draft-ietf-oauth-closing-redirectors document should probably >>> suggest the Referrer-Policy something more like this: >>> >>> Referrer-Policy: strict-origin >>> >>> >>> >>> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged >>> material for the sole use of the intended recipient(s). Any review, use, >>> distribution or disclosure by others is strictly prohibited. If you have >>> received this communication in error, please notify the sender immediately >>> by e-mail and delete the message and any file attachments from your >>> computer. Thank you._______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>> https://www.ietf.org/mailman/listinfo/oauth >>> <https://www.ietf.org/mailman/listinfo/oauth> >> >> >> >> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged >> material for the sole use of the intended recipient(s). Any review, use, >> distribution or disclosure by others is strictly prohibited. If you have >> received this communication in error, please notify the sender immediately >> by e-mail and delete the message and any file attachments from your >> computer. Thank you. > > > > CONFIDENTIALITY NOTICE: This email may contain confidential and privileged > material for the sole use of the intended recipient(s). Any review, use, > distribution or disclosure by others is strictly prohibited. If you have > received this communication in error, please notify the sender immediately by > e-mail and delete the message and any file attachments from your computer. > Thank you.
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
