Re: [keycloak-user] JavaScript client, iframe and IE

Hello, sorry for digging this old thread out but I just stumbled over this again. I found some Keycloak deployments in the wild which explicitly set the P3P Header to: P3P:CP="CAO PSA OUR" This seems to work fine with IE and is a valid P3P header. See also: http://stackoverflow.com/questions/5257983/what-does- headerp3p-cp-cao-psa-our-do I wonder whether this would make a better default setting for the p3pPolicy setting in themes/src/main/resources/theme/base/login/messages/ messages_*.properties than the current value of: p3pPolicy=CP="This is not a P3P policy!" Cheers, Thomas 2016-04-15 15:24 GMT+02:00 Stian Thorgersen <sthorger(a)redhat.com&gt;: > No, but feel free to add one to the new testsuite :) > > On 15 April 2016 at 14:46, Thomas Raehalme <thomas.raehalme@aitiofinland. > com> wrote: > >> >> On Thu, Apr 14, 2016 at 5:11 PM, Stian Thorgersen <sthorger(a)redhat.com&gt; >> wrote: >> >>> I think we need to make it configurable. Could use messages from login >>> theme as a simple solution? >>> >>> sessionIframeP3P=CP="This is not a P3P policy!" >>> >> >> Using theme properties was a good idea. >> >> Is there an existing test I could extend to verify the presence of the >> header? >> >> >> >> >> >>> On 14 April 2016 at 16:06, Thomas Raehalme < >>> thomas.raehalme(a)aitiofinland.com&gt; wrote: >>> >>>> Well I didn't mean exactly the same message with a link and >>>> everything, but just something like "This is not a policy definition." >>>> >>>> Best regards, >>>> Thomas >>>> On Apr 14, 2016 17:03, "Stian Thorgersen" <sthorger(a)redhat.com&gt; wrote: >>>> >>>>> I don't think the Google way is good for us as we'd need to have a >>>>> similar page. Further, it wouldn't be correct to have a Keycloak page that >>>>> describes the policy for other companies. So we need to figure out what the >>>>> correct value should be I think. >>>>> >>>>> On 14 April 2016 at 16:00, Thomas Raehalme < >>>>> thomas.raehalme(a)aitiofinland.com&gt; wrote: >>>>> >>>>>> W3C has the spec but since nobody is really using this I don't think >>>>>> the value matters. But instead of making up some policy definition I think >>>>>> that the Google way would be the best. What do you think? >>>>>> >>>>>> Best regards, >>>>>> Thomas >>>>>> On Apr 14, 2016 16:54, "Stian Thorgersen" <sthorger(a)redhat.com&gt; >>>>>> wrote: >>>>>> >>>>>>> I've got no clue what the value should be, tried to search on >>>>>>> Google, but doesn't make much sense to me. >>>>>>> >>>>>>> On 14 April 2016 at 15:30, Jukka Sirviö <Jukka.Sirvio(a)mipro.fi&gt; >>>>>>> wrote: >>>>>>> >>>>>>>> there is discussion on this issue, also on stack overflow >>>>>>>> http://stackoverflow.com/questions/32120129/keycloak-is- >>>>>>>> causing-ie-to-have-an-infinite-loop >>>>>>>> >>>>>>>> “Header always set P3P "CP=ALL DSP COR CUR ADM PSA CONi OUR SAM >>>>>>>> OTR UNR LEG"” >>>>>>>> >>>>>>>> >>>>>>>> Lähettäjä: keycloak-user-bounces(a)lists.jboss.org [mailto: >>>>>>>> keycloak-user-bounces(a)lists.jboss.org] Puolesta Thomas Raehalme >>>>>>>> Lähetetty: 14. huhtikuuta 2016 16:22 >>>>>>>> Vastaanottaja: Stian Thorgersen >>>>>>>> Kopio: keycloak-user >>>>>>>> Aihe: Re: [keycloak-user] JavaScript client, iframe and IE >>>>>>>> >>>>>>>> I created KEYCLOAK-2828 for this issue and will do a PR as well. >>>>>>>> >>>>>>>> What do you think the value should be? As I wrote earlier it does >>>>>>>> not seem to make a difference to IE. >>>>>>>> >>>>>>>> Best regards, >>>>>>>> Thomas >>>>>>>> >>>>>>>> >>>>>>>> On Thu, Apr 14, 2016 at 4:16 PM, Stian Thorgersen < >>>>>>>> sthorger(a)redhat.com&gt; wrote: >>>>>>>> Can you create a JIRA for it please? If you fancy doing a PR you >>>>>>>> can add the header to LoginStatusIframeEndpoint. >>>>>>>> >>>>>>>> On 14 April 2016 at 15:09, Thomas Raehalme < >>>>>>>> thomas.raehalme(a)aitiofinland.com&gt; wrote: >>>>>>>> On Thu, Apr 14, 2016 at 4:01 PM, Stian Thorgersen < >>>>>>>> sthorger(a)redhat.com&gt; wrote: >>>>>>>> What do you mean about "if the URL is something like"? >>>>>>>> >>>>>>>> The only iframe Keycloak uses is in the JavaScript adapter and >>>>>>>> it's only the session iframe. That would be the only place it would be >>>>>>>> relevant for Keycloak to set P3P header, but don't think it's need AFAIK it >>>>>>>> works just fine on IE. >>>>>>>> >>>>>>>> Sorry for being a little too vague. >>>>>>>> >>>>>>>> Among other UIs our application has a web front-end based on >>>>>>>> AngularJS and it's utilizing the JavaScript adapter for authentication. >>>>>>>> When I login to the application I can inspect the HTML and see an <iframe >>>>>>>> /> element with the following URL: >>>>>>>> >>>>>>>> https://keycloak-server/auth/realms/xxxx/protocol/openid-con >>>>>>>> nect/login-status-iframe.html?client_id=xxxx&origin=xxxx >>>>>>>> >>>>>>>> Without the P3P header there is an eternal loop between our web >>>>>>>> front-end and Keycloak where the browser is being redirected from one to >>>>>>>> the other. After adding the P3P header the problem was solved. >>>>>>>> >>>>>>>> Best regards, >>>>>>>> Thomas >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> ________________________________ >>>>>>>> >>>>>>>> Tämä sähköpostiviesti (liitteineen) saattaa sisältää >>>>>>>> luottamuksellista tietoa, joka on tarkoitettu >>>>>>>> vain vastaanottajalleen. Jos et ole oikea vastaanottaja, ilmoita >>>>>>>> viestin lähettäjälle tapahtuneesta >>>>>>>> virheestä ja tuhoa viesti välittömästi. Viestin luvaton >>>>>>>> julkaiseminen, kopioiminen, jakelu tai muu >>>>>>>> käyttö tai toimenpiteisiin ryhtyminen sen perusteella on >>>>>>>> ehdottomasti kielletty. >>>>>>>> >>>>>>>> This message (including any attachments) may contain confidential >>>>>>>> information intended for >>>>>>>> the person or entity to which it is addressed. If you are not the >>>>>>>> intended recipient, notify the >>>>>>>> sender and delete this message immediately. Notice that >>>>>>>> disclosing, copying, distributing or any >>>>>>>> other use of the message and its information, or taking any action >>>>>>>> based on it, is strictly prohibited. >>>>>>>> >>>>>>>> ________________________________ >>>>>>>> >>>>>>> >>>>>>> >>>>> >>> >> >> > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user >