Really all I know is that recent versions of Chrome complain that referrer is an unrecognized Content-Security-Policy directive, which led me to look up the changes and content in my original message.
On Thu, Aug 3, 2017 at 9:35 AM, John Bradley <[email protected]> wrote: > Brian > > To answer my own question to some extent, this page has support status for > the browsers: > http://caniuse.com/#feat=referrer-policy > > It looks like only FireFox supports strict-origin. > > Most of them support origin. > > Some like IE, Opera Mini and older versions of Android (4) don’t support > Referrer-Policy at all. > > So I think > Referrer-Policy: origin > > With a note that you still need to use Content-Security-Policy: for IE > and Android (4). There may be some other OEM provided browsers on Android > from Samsung and others that may not have support but they are a small > number in general. > > John B. > > > On Aug 2, 2017, at 6:46 PM, Brian Campbell <[email protected]> > wrote: > > Not sure of the status at this point (it is expired) but the > draft-ietf-oauth-closing-redirectors WG document in > https://tools.ietf.org/html/draft-ietf-oauth-closing- > redirectors-00#section-2.3 suggests using the Content Security Policy > header to limit the information sent in the referer something like this: > > Content-Security-Policy: referrer origin; > > Consistent with the latest draft of https://w3c.github.io/webappse > c-referrer-policy/ and according to Mozilla (see > https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Co > ntent-Security-Policy/referrer) the Content-Security-Policy (CSP) > referrer directive is obsolete and deprecated. And it looks like > Referrer-Policy should be used instead for that purpose (again see Mozilla: > https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy). > So the draft-ietf-oauth-closing-redirectors document should probably > suggest the Referrer-Policy something more like this: > > Referrer-Policy: strict-origin > > > > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you.*_______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > > > -- *CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.*
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
