----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Gabriel Cardoso" <gcardoso(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Tuesday, 6 August, 2013 5:04:39 PM
Subject: Re: [keycloak-dev] Avoid older user agents?
For SSO login, we should support as old as possible (no javascript,
backward compatible to HTML 4? 3? 2? I don't know you tell me....).
HTML4 transitional is fine, pretty much covers 99.9999% of browsers in use today. We can
use JavaScript as long as it's progressive enhancements (for example autofocus or
placeholder replacement). The biggest issue is around css/style and testing that it's
"pixel perfect", there's several websites out there that can help with this.
There may be an official list of browsers Redhat supports, but I would think recent
versions of Chrome, Firefox, Safari, Opera (these are all generally updated and
there's very few old versions around). For IE6 is announced dead by MS themselves, and
IE7 has a relatively low usage, so I would think IE8 is sufficient. That's not to say
it won't work with older browsers, it may just look a bit crap.
For admin UI, we can be more restrictive, IMO. The admin UI, is not
just a UI though. It is a set of REST services that can be called from
javascript (or whatever langage/platform you want). For security
reasons we might want to restrict the types of browsers that can make
these REST requests.
I'm wondering if limiting on agent header is false security as it can be easily
changed.
Checking user agent before setting HttpOnly is also IMO not necessary as most browsers do
(in fact IE does all the way back to 6 and Firefox to 3!). Anyone that still uses a
browser that doesn't support it today are using a heavily out of date (and unsupported
browser) so it will be riddled with vulnerabilities in any case.
On 8/6/2013 10:14 AM, Gabriel Cardoso wrote:
> An important question is to define which older browsers we have to support.
> Does Red Hat have a list of them? Who defines this?
>
> Gabriel
>
> On Aug 6, 2013, at 10:24 AM, Bill Burke wrote:
>
>> Older browsers don't support HttpOnly cookies, right? So, maybe we
>> don't set login cookies for these older browsers. For SSO, this will
>> require a relogin every time. For the admin UI, we just won't allow
>> interaction with older browsers. We'll do this by checking the
>> User-Agent header.
>>
>>
https://issues.jboss.org/browse/KEYCLOAK-23
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>>
http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev