No one ever said that browsers are consistent. I think Chrome has supported a subset of the new header for a while but won’t have full support until Chrome 61 gets out of beta.
Is chrome showing a user visible error with the old header? Easiest thing would be to use the new header and deny access to anyone still using IE:) John B. > On Aug 3, 2017, at 12:43 PM, Brian Campbell <[email protected]> > wrote: > > Really all I know is that recent versions of Chrome complain that referrer is > an unrecognized Content-Security-Policy directive, which led me to look up > the changes and content in my original message. > > On Thu, Aug 3, 2017 at 9:35 AM, John Bradley <[email protected] > <mailto:[email protected]>> wrote: > Brian > > To answer my own question to some extent, this page has support status for > the browsers: > http://caniuse.com/#feat=referrer-policy > <http://caniuse.com/#feat=referrer-policy> > > It looks like only FireFox supports strict-origin. > > Most of them support origin. > > Some like IE, Opera Mini and older versions of Android (4) don’t support > Referrer-Policy at all. > > So I think > Referrer-Policy: origin > > With a note that you still need to use Content-Security-Policy: for IE and > Android (4). There may be some other OEM provided browsers on Android from > Samsung and others that may not have support but they are a small number in > general. > > John B. > > >> On Aug 2, 2017, at 6:46 PM, Brian Campbell <[email protected] >> <mailto:[email protected]>> wrote: >> >> Not sure of the status at this point (it is expired) but the >> draft-ietf-oauth-closing-redirectors WG document in >> https://tools.ietf.org/html/draft-ietf-oauth-closing-redirectors-00#section-2.3 >> >> <https://tools.ietf.org/html/draft-ietf-oauth-closing-redirectors-00#section-2.3> >> suggests using the Content Security Policy header to limit the information >> sent in the referer something like this: >> >> Content-Security-Policy: referrer origin; >> >> Consistent with the latest draft of >> https://w3c.github.io/webappsec-referrer-policy/ >> <https://w3c.github.io/webappsec-referrer-policy/> and according to Mozilla >> (see >> https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/referrer >> >> <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/referrer>) >> the Content-Security-Policy (CSP) referrer directive is obsolete and >> deprecated. And it looks like Referrer-Policy should be used instead for >> that purpose (again see Mozilla: >> https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy >> <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy>). >> So the draft-ietf-oauth-closing-redirectors document should probably >> suggest the Referrer-Policy something more like this: >> >> Referrer-Policy: strict-origin >> >> >> >> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged >> material for the sole use of the intended recipient(s). Any review, use, >> distribution or disclosure by others is strictly prohibited. If you have >> received this communication in error, please notify the sender immediately >> by e-mail and delete the message and any file attachments from your >> computer. Thank you._______________________________________________ >> OAuth mailing list >> [email protected] <mailto:[email protected]> >> https://www.ietf.org/mailman/listinfo/oauth >> <https://www.ietf.org/mailman/listinfo/oauth> > > > > CONFIDENTIALITY NOTICE: This email may contain confidential and privileged > material for the sole use of the intended recipient(s). Any review, use, > distribution or disclosure by others is strictly prohibited. If you have > received this communication in error, please notify the sender immediately by > e-mail and delete the message and any file attachments from your computer. > Thank you.
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
