2:47 p.m.
Hi!
Has anyone encountered any problems with a JavaScript client running on
Internet Explorer?
It seems that IE applies some restrictions regarding <iframe /> and
cookies. Unless the Keycloak server in question returns a P3P header, IE
does not allow any cookies to be set by Keycloak inside the <iframe> on a
JavaScript client.
Here's Microsoft's blog post regarding the issue:
https://blogs.msdn.microsoft.com/ieinternals/2013/09/17/a-quick-look-at-p3p/
If I have understood correctly IE doesn't really care about the header's
value as long as it has been set. For example Google returns:
P3P: CP="This is not a P3P policy! See
https://www.google.com/support/accounts/answer/151657?hl=en for more info."
What do you think, should Wildfly in the Keycloak distribution add the P3P
header by default?
Best regards,
Thomas
2:54 p.m.
Are you talking about the session iframe used by the JavaScript adapter or
something else?
On 14 April 2016 at 14:47, Thomas Raehalme <thomas.raehalme(a)aitiofinland.com
wrote:
Hi!
Has anyone encountered any problems with a JavaScript client running on
Internet Explorer?
It seems that IE applies some restrictions regarding <iframe /> and
cookies. Unless the Keycloak server in question returns a P3P header, IE
does not allow any cookies to be set by Keycloak inside the <iframe> on a
JavaScript client.
Here's Microsoft's blog post regarding the issue:
https://blogs.msdn.microsoft.com/ieinternals/2013/09/17/a-quick-look-at-p3p/
If I have understood correctly IE doesn't really care about the header's
value as long as it has been set. For example Google returns:
P3P: CP="This is not a P3P policy! See
https://www.google.com/support/accounts/answer/151657?hl=en for more
info."
What do you think, should Wildfly in the Keycloak distribution add the P3P
header by default?
Best regards,
Thomas
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
3:01 p.m.
What do you mean about "if the URL is something like"?
The only iframe Keycloak uses is in the JavaScript adapter and it's only
the session iframe. That would be the only place it would be relevant for
Keycloak to set P3P header, but don't think it's need AFAIK it works just
fine on IE.
On 14 April 2016 at 14:59, Thomas Raehalme <thomas.raehalme(a)aitiofinland.com
wrote:
>
> On Thu, Apr 14, 2016 at 3:54 PM, Stian Thorgersen <sthorger(a)redhat.com>
wrote:
>
>> Are you talking about the session iframe used by the JavaScript adapter
>> or something else?
>>
>
> Yes, if the URL is something like login-status-iframe.html.
>
> Best regards,
> Thomas
>
>
3:09 p.m.
On Thu, Apr 14, 2016 at 4:01 PM, Stian Thorgersen <sthorger(a)redhat.com>
wrote:
What do you mean about "if the URL is something like"?
The only iframe Keycloak uses is in the JavaScript adapter and it's only
the session iframe. That would be the only place it would be relevant for
Keycloak to set P3P header, but don't think it's need AFAIK it works just
fine on IE.
Sorry for being a little too vague.
Among other UIs our application has a web front-end based on AngularJS and
it's utilizing the JavaScript adapter for authentication. When I login to
the application I can inspect the HTML and see an <iframe /> element with
the following URL:
https://keycloak-server/auth/realms/xxxx/protocol/openid-connect/login-st...
Without the P3P header there is an eternal loop between our web front-end
and Keycloak where the browser is being redirected from one to the other.
After adding the P3P header the problem was solved.
Best regards,
Thomas
3:16 p.m.
Can you create a JIRA for it please? If you fancy doing a PR you can add
the header to LoginStatusIframeEndpoint.
On 14 April 2016 at 15:09, Thomas Raehalme <thomas.raehalme(a)aitiofinland.com
wrote:
> On Thu, Apr 14, 2016 at 4:01 PM, Stian Thorgersen <sthorger(a)redhat.com>
wrote:
>
>> What do you mean about "if the URL is something like"?
>>
>> The only iframe Keycloak uses is in the JavaScript adapter and it's only
>> the session iframe. That would be the only place it would be relevant for
>> Keycloak to set P3P header, but don't think it's need AFAIK it works
>> just fine on IE.
>>
>
> Sorry for being a little too vague.
>
> Among other UIs our application has a web front-end based on AngularJS and
> it's utilizing the JavaScript adapter for authentication. When I login to
> the application I can inspect the HTML and see an <iframe /> element with
> the following URL:
>
>
>
https://keycloak-server/auth/realms/xxxx/protocol/openid-connect/login-st...
>
> Without the P3P header there is an eternal loop between our web front-end
> and Keycloak where the browser is being redirected from one to the other.
> After adding the P3P header the problem was solved.
>
> Best regards,
> Thomas
>
3:22 p.m.
I created KEYCLOAK-2828 for this issue and will do a PR as well.
What do you think the value should be? As I wrote earlier it does not seem
to make a difference to IE.
Best regards,
Thomas
On Thu, Apr 14, 2016 at 4:16 PM, Stian Thorgersen <sthorger(a)redhat.com>
wrote:
Can you create a JIRA for it please? If you fancy doing a PR you can
add
the header to LoginStatusIframeEndpoint.
On 14 April 2016 at 15:09, Thomas Raehalme <
thomas.raehalme(a)aitiofinland.com> wrote:
> On Thu, Apr 14, 2016 at 4:01 PM, Stian Thorgersen <sthorger(a)redhat.com>
> wrote:
>
>> What do you mean about "if the URL is something like"?
>>
>> The only iframe Keycloak uses is in the JavaScript adapter and it's only
>> the session iframe. That would be the only place it would be relevant for
>> Keycloak to set P3P header, but don't think it's need AFAIK it works
>> just fine on IE.
>>
>
> Sorry for being a little too vague.
>
> Among other UIs our application has a web front-end based on AngularJS
> and it's utilizing the JavaScript adapter for authentication. When I login
> to the application I can inspect the HTML and see an <iframe /> element
> with the following URL:
>
>
>
https://keycloak-server/auth/realms/xxxx/protocol/openid-connect/login-st...
>
> Without the P3P header there is an eternal loop between our web front-end
> and Keycloak where the browser is being redirected from one to the other.
> After adding the P3P header the problem was solved.
>
> Best regards,
> Thomas
>
3:30 p.m.
there is discussion on this issue, also on stack overflow
http://stackoverflow.com/questions/32120129/keycloak-is-causing-ie-to-hav...
“Header always set P3P "CP=ALL DSP COR CUR ADM PSA CONi OUR SAM OTR UNR LEG"”
Lähettäjä: keycloak-user-bounces(a)lists.jboss.org
[mailto:keycloak-user-bounces@lists.jboss.org] Puolesta Thomas Raehalme
Lähetetty: 14. huhtikuuta 2016 16:22
Vastaanottaja: Stian Thorgersen
Kopio: keycloak-user
Aihe: Re: [keycloak-user] JavaScript client, iframe and IE
I created KEYCLOAK-2828 for this issue and will do a PR as well.
What do you think the value should be? As I wrote earlier it does not seem to make a
difference to IE.
Best regards,
Thomas
On Thu, Apr 14, 2016 at 4:16 PM, Stian Thorgersen <sthorger(a)redhat.com> wrote:
Can you create a JIRA for it please? If you fancy doing a PR you can add the header to
LoginStatusIframeEndpoint.
On 14 April 2016 at 15:09, Thomas Raehalme <thomas.raehalme(a)aitiofinland.com>
wrote:
On Thu, Apr 14, 2016 at 4:01 PM, Stian Thorgersen <sthorger(a)redhat.com> wrote:
What do you mean about "if the URL is something like"?
The only iframe Keycloak uses is in the JavaScript adapter and it's only the session
iframe. That would be the only place it would be relevant for Keycloak to set P3P header,
but don't think it's need AFAIK it works just fine on IE.
Sorry for being a little too vague.
Among other UIs our application has a web front-end based on AngularJS and it's
utilizing the JavaScript adapter for authentication. When I login to the application I can
inspect the HTML and see an <iframe /> element with the following URL:
https://keycloak-server/auth/realms/xxxx/protocol/openid-connect/login-st...
Without the P3P header there is an eternal loop between our web front-end and Keycloak
where the browser is being redirected from one to the other. After adding the P3P header
the problem was solved.
Best regards,
Thomas
________________________________
Tämä sähköpostiviesti (liitteineen) saattaa sisältää luottamuksellista tietoa, joka on
tarkoitettu
vain vastaanottajalleen. Jos et ole oikea vastaanottaja, ilmoita viestin lähettäjälle
tapahtuneesta
virheestä ja tuhoa viesti välittömästi. Viestin luvaton julkaiseminen, kopioiminen, jakelu
tai muu
käyttö tai toimenpiteisiin ryhtyminen sen perusteella on ehdottomasti kielletty.
This message (including any attachments) may contain confidential information intended
for
the person or entity to which it is addressed. If you are not the intended recipient,
notify the
sender and delete this message immediately. Notice that disclosing, copying, distributing
or any
other use of the message and its information, or taking any action based on it, is
strictly prohibited.
________________________________
3:54 p.m.
I've got no clue what the value should be, tried to search on Google, but
doesn't make much sense to me.
On 14 April 2016 at 15:30, Jukka Sirviö <Jukka.Sirvio(a)mipro.fi> wrote:
there is discussion on this issue, also on stack overflow
http://stackoverflow.com/questions/32120129/keycloak-is-causing-ie-to-hav...
“Header always set P3P "CP=ALL DSP COR CUR ADM PSA CONi OUR SAM OTR UNR
LEG"”
Lähettäjä: keycloak-user-bounces(a)lists.jboss.org [mailto:
keycloak-user-bounces(a)lists.jboss.org] Puolesta Thomas Raehalme
Lähetetty: 14. huhtikuuta 2016 16:22
Vastaanottaja: Stian Thorgersen
Kopio: keycloak-user
Aihe: Re: [keycloak-user] JavaScript client, iframe and IE
I created KEYCLOAK-2828 for this issue and will do a PR as well.
What do you think the value should be? As I wrote earlier it does not seem
to make a difference to IE.
Best regards,
Thomas
On Thu, Apr 14, 2016 at 4:16 PM, Stian Thorgersen <sthorger(a)redhat.com>
wrote:
Can you create a JIRA for it please? If you fancy doing a PR you can add
the header to LoginStatusIframeEndpoint.
On 14 April 2016 at 15:09, Thomas Raehalme <
thomas.raehalme(a)aitiofinland.com> wrote:
On Thu, Apr 14, 2016 at 4:01 PM, Stian Thorgersen <sthorger(a)redhat.com>
wrote:
What do you mean about "if the URL is something like"?
The only iframe Keycloak uses is in the JavaScript adapter and it's only
the session iframe. That would be the only place it would be relevant for
Keycloak to set P3P header, but don't think it's need AFAIK it works just
fine on IE.
Sorry for being a little too vague.
Among other UIs our application has a web front-end based on AngularJS and
it's utilizing the JavaScript adapter for authentication. When I login to
the application I can inspect the HTML and see an <iframe /> element with
the following URL:
https://keycloak-server/auth/realms/xxxx/protocol/openid-connect/login-st...
Without the P3P header there is an eternal loop between our web front-end
and Keycloak where the browser is being redirected from one to the other.
After adding the P3P header the problem was solved.
Best regards,
Thomas
________________________________
Tämä sähköpostiviesti (liitteineen) saattaa sisältää luottamuksellista
tietoa, joka on tarkoitettu
vain vastaanottajalleen. Jos et ole oikea vastaanottaja, ilmoita viestin
lähettäjälle tapahtuneesta
virheestä ja tuhoa viesti välittömästi. Viestin luvaton julkaiseminen,
kopioiminen, jakelu tai muu
käyttö tai toimenpiteisiin ryhtyminen sen perusteella on ehdottomasti
kielletty.
This message (including any attachments) may contain confidential
information intended for
the person or entity to which it is addressed. If you are not the intended
recipient, notify the
sender and delete this message immediately. Notice that disclosing,
copying, distributing or any
other use of the message and its information, or taking any action based
on it, is strictly prohibited.
________________________________
4 p.m.
so, that header can contain any non-sense, magic value, heh..
similar, like java have magic number "0xCAFEBABE"
Lähettäjä: Stian Thorgersen [mailto:sthorger@redhat.com]
Lähetetty: 14. huhtikuuta 2016 16:55
Vastaanottaja: Jukka Sirviö
Kopio: Thomas Raehalme; keycloak-user
Aihe: Re: [keycloak-user] JavaScript client, iframe and IE
I've got no clue what the value should be, tried to search on Google, but doesn't
make much sense to me.
On 14 April 2016 at 15:30, Jukka Sirviö <Jukka.Sirvio(a)mipro.fi> wrote:
there is discussion on this issue, also on stack overflow
http://stackoverflow.com/questions/32120129/keycloak-is-causing-ie-to-hav...
“Header always set P3P "CP=ALL DSP COR CUR ADM PSA CONi OUR SAM OTR UNR LEG"”
Lähettäjä: keycloak-user-bounces(a)lists.jboss.org
[mailto:keycloak-user-bounces@lists.jboss.org] Puolesta Thomas Raehalme
Lähetetty: 14. huhtikuuta 2016 16:22
Vastaanottaja: Stian Thorgersen
Kopio: keycloak-user
Aihe: Re: [keycloak-user] JavaScript client, iframe and IE
I created KEYCLOAK-2828 for this issue and will do a PR as well.
What do you think the value should be? As I wrote earlier it does not seem to make a
difference to IE.
Best regards,
Thomas
On Thu, Apr 14, 2016 at 4:16 PM, Stian Thorgersen <sthorger(a)redhat.com> wrote:
Can you create a JIRA for it please? If you fancy doing a PR you can add the header to
LoginStatusIframeEndpoint.
On 14 April 2016 at 15:09, Thomas Raehalme <thomas.raehalme(a)aitiofinland.com>
wrote:
On Thu, Apr 14, 2016 at 4:01 PM, Stian Thorgersen <sthorger(a)redhat.com> wrote:
What do you mean about "if the URL is something like"?
The only iframe Keycloak uses is in the JavaScript adapter and it's only the session
iframe. That would be the only place it would be relevant for Keycloak to set P3P header,
but don't think it's need AFAIK it works just fine on IE.
Sorry for being a little too vague.
Among other UIs our application has a web front-end based on AngularJS and it's
utilizing the JavaScript adapter for authentication. When I login to the application I can
inspect the HTML and see an <iframe /> element with the following URL:
https://keycloak-server/auth/realms/xxxx/protocol/openid-connect/login-st...
Without the P3P header there is an eternal loop between our web front-end and Keycloak
where the browser is being redirected from one to the other. After adding the P3P header
the problem was solved.
Best regards,
Thomas
________________________________
Tämä sähköpostiviesti (liitteineen) saattaa sisältää luottamuksellista tietoa, joka on
tarkoitettu
vain vastaanottajalleen. Jos et ole oikea vastaanottaja, ilmoita viestin lähettäjälle
tapahtuneesta
virheestä ja tuhoa viesti välittömästi. Viestin luvaton julkaiseminen, kopioiminen, jakelu
tai muu
käyttö tai toimenpiteisiin ryhtyminen sen perusteella on ehdottomasti kielletty.
This message (including any attachments) may contain confidential information intended
for
the person or entity to which it is addressed. If you are not the intended recipient,
notify the
sender and delete this message immediately. Notice that disclosing, copying, distributing
or any
other use of the message and its information, or taking any action based on it, is
strictly prohibited.
________________________________
4 p.m.
W3C has the spec but since nobody is really using this I don't think the
value matters. But instead of making up some policy definition I think that
the Google way would be the best. What do you think?
Best regards,
Thomas
On Apr 14, 2016 16:54, "Stian Thorgersen" <sthorger(a)redhat.com> wrote:
I've got no clue what the value should be, tried to search on
Google, but
doesn't make much sense to me.
On 14 April 2016 at 15:30, Jukka Sirviö <Jukka.Sirvio(a)mipro.fi> wrote:
> there is discussion on this issue, also on stack overflow
>
>
http://stackoverflow.com/questions/32120129/keycloak-is-causing-ie-to-hav...
>
> “Header always set P3P "CP=ALL DSP COR CUR ADM PSA CONi OUR SAM OTR UNR
> LEG"”
>
>
> Lähettäjä: keycloak-user-bounces(a)lists.jboss.org [mailto:
> keycloak-user-bounces(a)lists.jboss.org] Puolesta Thomas Raehalme
> Lähetetty: 14. huhtikuuta 2016 16:22
> Vastaanottaja: Stian Thorgersen
> Kopio: keycloak-user
> Aihe: Re: [keycloak-user] JavaScript client, iframe and IE
>
> I created KEYCLOAK-2828 for this issue and will do a PR as well.
>
> What do you think the value should be? As I wrote earlier it does not
> seem to make a difference to IE.
>
> Best regards,
> Thomas
>
>
> On Thu, Apr 14, 2016 at 4:16 PM, Stian Thorgersen <sthorger(a)redhat.com>
> wrote:
> Can you create a JIRA for it please? If you fancy doing a PR you can add
> the header to LoginStatusIframeEndpoint.
>
> On 14 April 2016 at 15:09, Thomas Raehalme <
> thomas.raehalme(a)aitiofinland.com> wrote:
> On Thu, Apr 14, 2016 at 4:01 PM, Stian Thorgersen <sthorger(a)redhat.com>
> wrote:
> What do you mean about "if the URL is something like"?
>
> The only iframe Keycloak uses is in the JavaScript adapter and it's only
> the session iframe. That would be the only place it would be relevant for
> Keycloak to set P3P header, but don't think it's need AFAIK it works just
> fine on IE.
>
> Sorry for being a little too vague.
>
> Among other UIs our application has a web front-end based on AngularJS
> and it's utilizing the JavaScript adapter for authentication. When I login
> to the application I can inspect the HTML and see an <iframe /> element
> with the following URL:
>
>
>
https://keycloak-server/auth/realms/xxxx/protocol/openid-connect/login-st...
>
> Without the P3P header there is an eternal loop between our web front-end
> and Keycloak where the browser is being redirected from one to the other.
> After adding the P3P header the problem was solved.
>
> Best regards,
> Thomas
>
>
>
> ________________________________
>
> Tämä sähköpostiviesti (liitteineen) saattaa sisältää luottamuksellista
> tietoa, joka on tarkoitettu
> vain vastaanottajalleen. Jos et ole oikea vastaanottaja, ilmoita viestin
> lähettäjälle tapahtuneesta
> virheestä ja tuhoa viesti välittömästi. Viestin luvaton julkaiseminen,
> kopioiminen, jakelu tai muu
> käyttö tai toimenpiteisiin ryhtyminen sen perusteella on ehdottomasti
> kielletty.
>
> This message (including any attachments) may contain confidential
> information intended for
> the person or entity to which it is addressed. If you are not the
> intended recipient, notify the
> sender and delete this message immediately. Notice that disclosing,
> copying, distributing or any
> other use of the message and its information, or taking any action based
> on it, is strictly prohibited.
>
> ________________________________
>
4:03 p.m.
I don't think the Google way is good for us as we'd need to have a similar
page. Further, it wouldn't be correct to have a Keycloak page that
describes the policy for other companies. So we need to figure out what the
correct value should be I think.
On 14 April 2016 at 16:00, Thomas Raehalme <thomas.raehalme(a)aitiofinland.com
wrote:
> W3C has the spec but since nobody is really using this I don't think the
> value matters. But instead of making up some policy definition I think that
> the Google way would be the best. What do you think?
>
> Best regards,
> Thomas
> On Apr 14, 2016 16:54, "Stian Thorgersen" <sthorger(a)redhat.com wrote:
>
>> I've got no clue what the value should be, tried to search on Google, but
>> doesn't make much sense to me.
>>
>> On 14 April 2016 at 15:30, Jukka Sirviö <Jukka.Sirvio(a)mipro.fi wrote:
>>
>>> there is discussion on this issue, also on stack overflow
>>>
>>>
http://stackoverflow.com/questions/32120129/keycloak-is-causing-ie-to-hav...
>>>
>>> “Header always set P3P "CP=ALL DSP COR CUR ADM PSA CONi OUR SAM OTR UNR
>>> LEG"”
>>>
>>>
>>> Lähettäjä: keycloak-user-bounces(a)lists.jboss.org [mailto:
>>> keycloak-user-bounces(a)lists.jboss.org] Puolesta Thomas Raehalme
>>> Lähetetty: 14. huhtikuuta 2016 16:22
>>> Vastaanottaja: Stian Thorgersen
>>> Kopio: keycloak-user
>>> Aihe: Re: [keycloak-user] JavaScript client, iframe and IE
>>>
>>> I created KEYCLOAK-2828 for this issue and will do a PR as well.
>>>
>>> What do you think the value should be? As I wrote earlier it does not
>>> seem to make a difference to IE.
>>>
>>> Best regards,
>>> Thomas
>>>
>>>
>>> On Thu, Apr 14, 2016 at 4:16 PM, Stian Thorgersen
<sthorger(a)redhat.com>
>> wrote:
>>> Can you create a
JIRA for it please? If you fancy doing a PR you can add
>>> the header to LoginStatusIframeEndpoint.
>>>
>>> On 14 April 2016 at 15:09, Thomas Raehalme <
>>> thomas.raehalme(a)aitiofinland.com wrote:
>>> On Thu, Apr 14, 2016 at 4:01 PM, Stian Thorgersen
<sthorger(a)redhat.com>
>> wrote:
>>> What do you mean
about "if the URL is something like"?
>>>
>>> The only iframe Keycloak uses is in the JavaScript adapter and it's only
>>> the session iframe. That would be the only place it would be relevant for
>>> Keycloak to set P3P header, but don't think it's need AFAIK it works
just
>>> fine on IE.
>>>
>>> Sorry for being a little too vague.
>>>
>>> Among other UIs our application has a web front-end based on AngularJS
>>> and it's utilizing the JavaScript adapter for authentication. When I
login
>>> to the application I can inspect the HTML and see an <iframe />
element
>>> with the following URL:
>>>
>>>
>>>
https://keycloak-server/auth/realms/xxxx/protocol/openid-connect/login-st...
>>>
>>> Without the P3P header there is an eternal loop between our web
>>> front-end and Keycloak where the browser is being redirected from one to
>>> the other. After adding the P3P header the problem was solved.
>>>
>>> Best regards,
>>> Thomas
>>>
>>>
>>>
>>> ________________________________
>>>
>>> Tämä sähköpostiviesti (liitteineen) saattaa sisältää luottamuksellista
>>> tietoa, joka on tarkoitettu
>>> vain vastaanottajalleen. Jos et ole oikea vastaanottaja, ilmoita viestin
>>> lähettäjälle tapahtuneesta
>>> virheestä ja tuhoa viesti välittömästi. Viestin luvaton julkaiseminen,
>>> kopioiminen, jakelu tai muu
>>> käyttö tai toimenpiteisiin ryhtyminen sen perusteella on ehdottomasti
>>> kielletty.
>>>
>>> This message (including any attachments) may contain confidential
>>> information intended for
>>> the person or entity to which it is addressed. If you are not the
>>> intended recipient, notify the
>>> sender and delete this message immediately. Notice that disclosing,
>>> copying, distributing or any
>>> other use of the message and its information, or taking any action based
>>> on it, is strictly prohibited.
>>>
>>> ________________________________
>>>
>>
>>
4:05 p.m.
This is rather funny take a look at https://www.w3.org/P3P/details.html and
try the links for the suggested policy editors. Half of them don't work and
the rest is advertisement!
On 14 April 2016 at 16:03, Stian Thorgersen <sthorger(a)redhat.com> wrote:
I don't think the Google way is good for us as we'd need to
have a similar
page. Further, it wouldn't be correct to have a Keycloak page that
describes the policy for other companies. So we need to figure out what the
correct value should be I think.
On 14 April 2016 at 16:00, Thomas Raehalme <
thomas.raehalme(a)aitiofinland.com> wrote:
> W3C has the spec but since nobody is really using this I don't think the
> value matters. But instead of making up some policy definition I think that
> the Google way would be the best. What do you think?
>
> Best regards,
> Thomas
> On Apr 14, 2016 16:54, "Stian Thorgersen" <sthorger(a)redhat.com>
wrote:
>
>> I've got no clue what the value should be, tried to search on Google,
>> but doesn't make much sense to me.
>>
>> On 14 April 2016 at 15:30, Jukka Sirviö <Jukka.Sirvio(a)mipro.fi> wrote:
>>
>>> there is discussion on this issue, also on stack overflow
>>>
>>>
http://stackoverflow.com/questions/32120129/keycloak-is-causing-ie-to-hav...
>>>
>>> “Header always set P3P "CP=ALL DSP COR CUR ADM PSA CONi OUR SAM OTR UNR
>>> LEG"”
>>>
>>>
>>> Lähettäjä: keycloak-user-bounces(a)lists.jboss.org [mailto:
>>> keycloak-user-bounces(a)lists.jboss.org] Puolesta Thomas Raehalme
>>> Lähetetty: 14. huhtikuuta 2016 16:22
>>> Vastaanottaja: Stian Thorgersen
>>> Kopio: keycloak-user
>>> Aihe: Re: [keycloak-user] JavaScript client, iframe and IE
>>>
>>> I created KEYCLOAK-2828 for this issue and will do a PR as well.
>>>
>>> What do you think the value should be? As I wrote earlier it does not
>>> seem to make a difference to IE.
>>>
>>> Best regards,
>>> Thomas
>>>
>>>
>>> On Thu, Apr 14, 2016 at 4:16 PM, Stian Thorgersen
<sthorger(a)redhat.com>
>>> wrote:
>>> Can you create a JIRA for it please? If you fancy doing a PR you can
>>> add the header to LoginStatusIframeEndpoint.
>>>
>>> On 14 April 2016 at 15:09, Thomas Raehalme <
>>> thomas.raehalme(a)aitiofinland.com> wrote:
>>> On Thu, Apr 14, 2016 at 4:01 PM, Stian Thorgersen
<sthorger(a)redhat.com>
>>> wrote:
>>> What do you mean about "if the URL is something like"?
>>>
>>> The only iframe Keycloak uses is in the JavaScript adapter and it's
>>> only the session iframe. That would be the only place it would be relevant
>>> for Keycloak to set P3P header, but don't think it's need AFAIK it
works
>>> just fine on IE.
>>>
>>> Sorry for being a little too vague.
>>>
>>> Among other UIs our application has a web front-end based on AngularJS
>>> and it's utilizing the JavaScript adapter for authentication. When I
login
>>> to the application I can inspect the HTML and see an <iframe />
element
>>> with the following URL:
>>>
>>>
>>>
https://keycloak-server/auth/realms/xxxx/protocol/openid-connect/login-st...
>>>
>>> Without the P3P header there is an eternal loop between our web
>>> front-end and Keycloak where the browser is being redirected from one to
>>> the other. After adding the P3P header the problem was solved.
>>>
>>> Best regards,
>>> Thomas
>>>
>>>
>>>
>>> ________________________________
>>>
>>> Tämä sähköpostiviesti (liitteineen) saattaa sisältää luottamuksellista
>>> tietoa, joka on tarkoitettu
>>> vain vastaanottajalleen. Jos et ole oikea vastaanottaja, ilmoita
>>> viestin lähettäjälle tapahtuneesta
>>> virheestä ja tuhoa viesti välittömästi. Viestin luvaton julkaiseminen,
>>> kopioiminen, jakelu tai muu
>>> käyttö tai toimenpiteisiin ryhtyminen sen perusteella on ehdottomasti
>>> kielletty.
>>>
>>> This message (including any attachments) may contain confidential
>>> information intended for
>>> the person or entity to which it is addressed. If you are not the
>>> intended recipient, notify the
>>> sender and delete this message immediately. Notice that disclosing,
>>> copying, distributing or any
>>> other use of the message and its information, or taking any action
>>> based on it, is strictly prohibited.
>>>
>>> ________________________________
>>>
>>
>>
4:06 p.m.
Well I didn't mean exactly the same message with a link and everything, but
just something like "This is not a policy definition."
Best regards,
Thomas
On Apr 14, 2016 17:03, "Stian Thorgersen" <sthorger(a)redhat.com> wrote:
I don't think the Google way is good for us as we'd need to
have a similar
page. Further, it wouldn't be correct to have a Keycloak page that
describes the policy for other companies. So we need to figure out what the
correct value should be I think.
On 14 April 2016 at 16:00, Thomas Raehalme <
thomas.raehalme(a)aitiofinland.com> wrote:
> W3C has the spec but since nobody is really using this I don't think the
> value matters. But instead of making up some policy definition I think that
> the Google way would be the best. What do you think?
>
> Best regards,
> Thomas
> On Apr 14, 2016 16:54, "Stian Thorgersen" <sthorger(a)redhat.com>
wrote:
>
>> I've got no clue what the value should be, tried to search on Google,
>> but doesn't make much sense to me.
>>
>> On 14 April 2016 at 15:30, Jukka Sirviö <Jukka.Sirvio(a)mipro.fi> wrote:
>>
>>> there is discussion on this issue, also on stack overflow
>>>
>>>
http://stackoverflow.com/questions/32120129/keycloak-is-causing-ie-to-hav...
>>>
>>> “Header always set P3P "CP=ALL DSP COR CUR ADM PSA CONi OUR SAM OTR UNR
>>> LEG"”
>>>
>>>
>>> Lähettäjä: keycloak-user-bounces(a)lists.jboss.org [mailto:
>>> keycloak-user-bounces(a)lists.jboss.org] Puolesta Thomas Raehalme
>>> Lähetetty: 14. huhtikuuta 2016 16:22
>>> Vastaanottaja: Stian Thorgersen
>>> Kopio: keycloak-user
>>> Aihe: Re: [keycloak-user] JavaScript client, iframe and IE
>>>
>>> I created KEYCLOAK-2828 for this issue and will do a PR as well.
>>>
>>> What do you think the value should be? As I wrote earlier it does not
>>> seem to make a difference to IE.
>>>
>>> Best regards,
>>> Thomas
>>>
>>>
>>> On Thu, Apr 14, 2016 at 4:16 PM, Stian Thorgersen
<sthorger(a)redhat.com>
>>> wrote:
>>> Can you create a JIRA for it please? If you fancy doing a PR you can
>>> add the header to LoginStatusIframeEndpoint.
>>>
>>> On 14 April 2016 at 15:09, Thomas Raehalme <
>>> thomas.raehalme(a)aitiofinland.com> wrote:
>>> On Thu, Apr 14, 2016 at 4:01 PM, Stian Thorgersen
<sthorger(a)redhat.com>
>>> wrote:
>>> What do you mean about "if the URL is something like"?
>>>
>>> The only iframe Keycloak uses is in the JavaScript adapter and it's
>>> only the session iframe. That would be the only place it would be relevant
>>> for Keycloak to set P3P header, but don't think it's need AFAIK it
works
>>> just fine on IE.
>>>
>>> Sorry for being a little too vague.
>>>
>>> Among other UIs our application has a web front-end based on AngularJS
>>> and it's utilizing the JavaScript adapter for authentication. When I
login
>>> to the application I can inspect the HTML and see an <iframe />
element
>>> with the following URL:
>>>
>>>
>>>
https://keycloak-server/auth/realms/xxxx/protocol/openid-connect/login-st...
>>>
>>> Without the P3P header there is an eternal loop between our web
>>> front-end and Keycloak where the browser is being redirected from one to
>>> the other. After adding the P3P header the problem was solved.
>>>
>>> Best regards,
>>> Thomas
>>>
>>>
>>>
>>> ________________________________
>>>
>>> Tämä sähköpostiviesti (liitteineen) saattaa sisältää luottamuksellista
>>> tietoa, joka on tarkoitettu
>>> vain vastaanottajalleen. Jos et ole oikea vastaanottaja, ilmoita
>>> viestin lähettäjälle tapahtuneesta
>>> virheestä ja tuhoa viesti välittömästi. Viestin luvaton julkaiseminen,
>>> kopioiminen, jakelu tai muu
>>> käyttö tai toimenpiteisiin ryhtyminen sen perusteella on ehdottomasti
>>> kielletty.
>>>
>>> This message (including any attachments) may contain confidential
>>> information intended for
>>> the person or entity to which it is addressed. If you are not the
>>> intended recipient, notify the
>>> sender and delete this message immediately. Notice that disclosing,
>>> copying, distributing or any
>>> other use of the message and its information, or taking any action
>>> based on it, is strictly prohibited.
>>>
>>> ________________________________
>>>
>>
>>
4:11 p.m.
I think we need to make it configurable. Could use messages from login
theme as a simple solution?
sessionIframeP3P=CP="This is not a P3P policy!"
On 14 April 2016 at 16:06, Thomas Raehalme <thomas.raehalme(a)aitiofinland.com
wrote:
> Well I didn't mean exactly the same message with a link and everything,
> but just something like "This is not a policy definition."
>
> Best regards,
> Thomas
> On Apr 14, 2016 17:03, "Stian Thorgersen" <sthorger(a)redhat.com wrote:
>
>> I don't think the Google way is good for us as we'd need to have a
>> similar page. Further, it wouldn't be correct to have a Keycloak page that
>> describes the policy for other companies. So we need to figure out what the
>> correct value should be I think.
>>
>> On 14 April 2016 at 16:00, Thomas Raehalme <
>> thomas.raehalme(a)aitiofinland.com wrote:
>>
>>> W3C has the spec but since nobody is really using this I don't think the
>>> value matters. But instead of making up some policy definition I think that
>>> the Google way would be the best. What do you think?
>>>
>>> Best regards,
>>> Thomas
>>> On Apr 14, 2016 16:54, "Stian Thorgersen"
<sthorger(a)redhat.com wrote:
>>>
>>>> I've got no clue what the value should be, tried to search on
Google,
>>>> but doesn't make much sense to me.
>>>>
>>>> On 14 April 2016 at 15:30, Jukka Sirviö <Jukka.Sirvio(a)mipro.fi wrote:
>>>>
>>>>> there is discussion on this issue, also on stack overflow
>>>>>
>>>>>
http://stackoverflow.com/questions/32120129/keycloak-is-causing-ie-to-hav...
>>>>>
>>>>> “Header always set P3P "CP=ALL DSP COR CUR ADM PSA CONi OUR SAM
OTR
>>>>> UNR LEG"”
>>>>>
>>>>>
>>>>> Lähettäjä: keycloak-user-bounces(a)lists.jboss.org [mailto:
>>>>> keycloak-user-bounces(a)lists.jboss.org] Puolesta Thomas Raehalme
>>>>> Lähetetty: 14. huhtikuuta 2016 16:22
>>>>> Vastaanottaja: Stian Thorgersen
>>>>> Kopio: keycloak-user
>>>>> Aihe: Re: [keycloak-user] JavaScript client, iframe and IE
>>>>>
>>>>> I created KEYCLOAK-2828 for this issue and will do a PR as well.
>>>>>
>>>>> What do you think the value should be? As I wrote earlier it does
not
>>>>> seem to make a difference to IE.
>>>>>
>>>>> Best regards,
>>>>> Thomas
>>>>>
>>>>>
>>>>> On Thu, Apr 14, 2016 at 4:16 PM, Stian Thorgersen
<sthorger(a)redhat.com>
>>>> wrote:
>>>>> Can you
create a JIRA for it please? If you fancy doing a PR you can
>>>>> add the header to LoginStatusIframeEndpoint.
>>>>>
>>>>> On 14 April 2016 at 15:09, Thomas Raehalme <
>>>>> thomas.raehalme(a)aitiofinland.com wrote:
>>>>> On Thu, Apr 14, 2016 at 4:01 PM, Stian Thorgersen
<sthorger(a)redhat.com>
>>>> wrote:
>>>>> What do
you mean about "if the URL is something like"?
>>>>>
>>>>> The only iframe Keycloak uses is in the JavaScript adapter and
it's
>>>>> only the session iframe. That would be the only place it would be
relevant
>>>>> for Keycloak to set P3P header, but don't think it's need
AFAIK it works
>>>>> just fine on IE.
>>>>>
>>>>> Sorry for being a little too vague.
>>>>>
>>>>> Among other UIs our application has a web front-end based on
AngularJS
>>>>> and it's utilizing the JavaScript adapter for authentication.
When I login
>>>>> to the application I can inspect the HTML and see an <iframe />
element
>>>>> with the following URL:
>>>>>
>>>>>
>>>>>
https://keycloak-server/auth/realms/xxxx/protocol/openid-connect/login-st...
>>>>>
>>>>> Without the P3P header there is an eternal loop between our web
>>>>> front-end and Keycloak where the browser is being redirected from one
to
>>>>> the other. After adding the P3P header the problem was solved.
>>>>>
>>>>> Best regards,
>>>>> Thomas
>>>>>
>>>>>
>>>>>
>>>>> ________________________________
>>>>>
>>>>> Tämä sähköpostiviesti (liitteineen) saattaa sisältää
luottamuksellista
>>>>> tietoa, joka on tarkoitettu
>>>>> vain vastaanottajalleen. Jos et ole oikea vastaanottaja, ilmoita
>>>>> viestin lähettäjälle tapahtuneesta
>>>>> virheestä ja tuhoa viesti välittömästi. Viestin luvaton
julkaiseminen,
>>>>> kopioiminen, jakelu tai muu
>>>>> käyttö tai toimenpiteisiin ryhtyminen sen perusteella on
ehdottomasti
>>>>> kielletty.
>>>>>
>>>>> This message (including any attachments) may contain confidential
>>>>> information intended for
>>>>> the person or entity to which it is addressed. If you are not the
>>>>> intended recipient, notify the
>>>>> sender and delete this message immediately. Notice that disclosing,
>>>>> copying, distributing or any
>>>>> other use of the message and its information, or taking any action
>>>>> based on it, is strictly prohibited.
>>>>>
>>>>> ________________________________
>>>>>
>>>>
>>>>
>>
2:46 p.m.
On Thu, Apr 14, 2016 at 5:11 PM, Stian Thorgersen <sthorger(a)redhat.com>
wrote:
I think we need to make it configurable. Could use messages from
login
theme as a simple solution?
sessionIframeP3P=CP="This is not a P3P policy!"
Using theme properties was a good idea.
Is there an existing test I could extend to verify the presence of the
header?
On 14 April 2016 at 16:06, Thomas Raehalme <
thomas.raehalme(a)aitiofinland.com> wrote:
> Well I didn't mean exactly the same message with a link and everything,
> but just something like "This is not a policy definition."
>
> Best regards,
> Thomas
> On Apr 14, 2016 17:03, "Stian Thorgersen" <sthorger(a)redhat.com>
wrote:
>
>> I don't think the Google way is good for us as we'd need to have a
>> similar page. Further, it wouldn't be correct to have a Keycloak page that
>> describes the policy for other companies. So we need to figure out what the
>> correct value should be I think.
>>
>> On 14 April 2016 at 16:00, Thomas Raehalme <
>> thomas.raehalme(a)aitiofinland.com> wrote:
>>
>>> W3C has the spec but since nobody is really using this I don't think
>>> the value matters. But instead of making up some policy definition I think
>>> that the Google way would be the best. What do you think?
>>>
>>> Best regards,
>>> Thomas
>>> On Apr 14, 2016 16:54, "Stian Thorgersen"
<sthorger(a)redhat.com> wrote:
>>>
>>>> I've got no clue what the value should be, tried to search on
Google,
>>>> but doesn't make much sense to me.
>>>>
>>>> On 14 April 2016 at 15:30, Jukka Sirviö <Jukka.Sirvio(a)mipro.fi>
wrote:
>>>>
>>>>> there is discussion on this issue, also on stack overflow
>>>>>
>>>>>
http://stackoverflow.com/questions/32120129/keycloak-is-causing-ie-to-hav...
>>>>>
>>>>> “Header always set P3P "CP=ALL DSP COR CUR ADM PSA CONi OUR SAM
OTR
>>>>> UNR LEG"”
>>>>>
>>>>>
>>>>> Lähettäjä: keycloak-user-bounces(a)lists.jboss.org [mailto:
>>>>> keycloak-user-bounces(a)lists.jboss.org] Puolesta Thomas Raehalme
>>>>> Lähetetty: 14. huhtikuuta 2016 16:22
>>>>> Vastaanottaja: Stian Thorgersen
>>>>> Kopio: keycloak-user
>>>>> Aihe: Re: [keycloak-user] JavaScript client, iframe and IE
>>>>>
>>>>> I created KEYCLOAK-2828 for this issue and will do a PR as well.
>>>>>
>>>>> What do you think the value should be? As I wrote earlier it does
not
>>>>> seem to make a difference to IE.
>>>>>
>>>>> Best regards,
>>>>> Thomas
>>>>>
>>>>>
>>>>> On Thu, Apr 14, 2016 at 4:16 PM, Stian Thorgersen <
>>>>> sthorger(a)redhat.com> wrote:
>>>>> Can you create a JIRA for it please? If you fancy doing a PR you can
>>>>> add the header to LoginStatusIframeEndpoint.
>>>>>
>>>>> On 14 April 2016 at 15:09, Thomas Raehalme <
>>>>> thomas.raehalme(a)aitiofinland.com> wrote:
>>>>> On Thu, Apr 14, 2016 at 4:01 PM, Stian Thorgersen <
>>>>> sthorger(a)redhat.com> wrote:
>>>>> What do you mean about "if the URL is something like"?
>>>>>
>>>>> The only iframe Keycloak uses is in the JavaScript adapter and
it's
>>>>> only the session iframe. That would be the only place it would be
relevant
>>>>> for Keycloak to set P3P header, but don't think it's need
AFAIK it works
>>>>> just fine on IE.
>>>>>
>>>>> Sorry for being a little too vague.
>>>>>
>>>>> Among other UIs our application has a web front-end based on
>>>>> AngularJS and it's utilizing the JavaScript adapter for
authentication.
>>>>> When I login to the application I can inspect the HTML and see an
<iframe
>>>>> /> element with the following URL:
>>>>>
>>>>>
>>>>>
https://keycloak-server/auth/realms/xxxx/protocol/openid-connect/login-st...
>>>>>
>>>>> Without the P3P header there is an eternal loop between our web
>>>>> front-end and Keycloak where the browser is being redirected from one
to
>>>>> the other. After adding the P3P header the problem was solved.
>>>>>
>>>>> Best regards,
>>>>> Thomas
>>>>>
>>>>>
>>>>>
>>>>> ________________________________
>>>>>
>>>>> Tämä sähköpostiviesti (liitteineen) saattaa sisältää
>>>>> luottamuksellista tietoa, joka on tarkoitettu
>>>>> vain vastaanottajalleen. Jos et ole oikea vastaanottaja, ilmoita
>>>>> viestin lähettäjälle tapahtuneesta
>>>>> virheestä ja tuhoa viesti välittömästi. Viestin luvaton
>>>>> julkaiseminen, kopioiminen, jakelu tai muu
>>>>> käyttö tai toimenpiteisiin ryhtyminen sen perusteella on
ehdottomasti
>>>>> kielletty.
>>>>>
>>>>> This message (including any attachments) may contain confidential
>>>>> information intended for
>>>>> the person or entity to which it is addressed. If you are not the
>>>>> intended recipient, notify the
>>>>> sender and delete this message immediately. Notice that disclosing,
>>>>> copying, distributing or any
>>>>> other use of the message and its information, or taking any action
>>>>> based on it, is strictly prohibited.
>>>>>
>>>>> ________________________________
>>>>>
>>>>
>>>>
>>
3:24 p.m.
No, but feel free to add one to the new testsuite :)
On 15 April 2016 at 14:46, Thomas Raehalme <thomas.raehalme(a)aitiofinland.com
wrote:
>
> On Thu, Apr 14, 2016 at 5:11 PM, Stian Thorgersen <sthorger(a)redhat.com>
wrote:
>
>> I think we need to make it configurable. Could use messages from login
>> theme as a simple solution?
>>
>> sessionIframeP3P=CP="This is not a P3P policy!"
>>
>
> Using theme properties was a good idea.
>
> Is there an existing test I could extend to verify the presence of the
> header?
>
>
>
>
>
>> On 14 April 2016 at 16:06, Thomas Raehalme <
>> thomas.raehalme(a)aitiofinland.com wrote:
>>
>>> Well I didn't mean exactly the same message with a link and everything,
>>> but just something like "This is not a policy definition."
>>>
>>> Best regards,
>>> Thomas
>>> On Apr 14, 2016 17:03, "Stian Thorgersen"
<sthorger(a)redhat.com wrote:
>>>
>>>> I don't think the Google way is good for us as we'd need to have
a
>>>> similar page. Further, it wouldn't be correct to have a Keycloak page
that
>>>> describes the policy for other companies. So we need to figure out what
the
>>>> correct value should be I think.
>>>>
>>>> On 14 April 2016 at 16:00, Thomas Raehalme <
>>>> thomas.raehalme(a)aitiofinland.com wrote:
>>>>
>>>>> W3C has the spec but since nobody is really using this I don't
think
>>>>> the value matters. But instead of making up some policy definition I
think
>>>>> that the Google way would be the best. What do you think?
>>>>>
>>>>> Best regards,
>>>>> Thomas
>>>>> On Apr 14, 2016 16:54, "Stian Thorgersen"
<sthorger(a)redhat.com wrote:
>>>>>
>>>>>> I've got no clue what the value should be, tried to search on
Google,
>>>>>> but doesn't make much sense to me.
>>>>>>
>>>>>> On 14 April 2016 at 15:30, Jukka Sirviö
<Jukka.Sirvio(a)mipro.fi>
>>>>> wrote:
>>>>>>
>>>>>>> there is discussion on this issue, also on stack overflow
>>>>>>>
>>>>>>>
http://stackoverflow.com/questions/32120129/keycloak-is-causing-ie-to-hav...
>>>>>>>
>>>>>>> “Header always set P3P "CP=ALL DSP COR CUR ADM PSA CONi
OUR SAM OTR
>>>>>>> UNR LEG"”
>>>>>>>
>>>>>>>
>>>>>>> Lähettäjä: keycloak-user-bounces(a)lists.jboss.org [mailto:
>>>>>>> keycloak-user-bounces(a)lists.jboss.org] Puolesta Thomas
Raehalme
>>>>>>> Lähetetty: 14. huhtikuuta 2016 16:22
>>>>>>> Vastaanottaja: Stian Thorgersen
>>>>>>> Kopio: keycloak-user
>>>>>>> Aihe: Re: [keycloak-user] JavaScript client, iframe and IE
>>>>>>>
>>>>>>> I created KEYCLOAK-2828 for this issue and will do a PR as
well.
>>>>>>>
>>>>>>> What do you think the value should be? As I wrote earlier it
does
>>>>>>> not seem to make a difference to IE.
>>>>>>>
>>>>>>> Best regards,
>>>>>>> Thomas
>>>>>>>
>>>>>>>
>>>>>>> On Thu, Apr 14, 2016 at 4:16 PM, Stian Thorgersen <
>>>>>>> sthorger(a)redhat.com wrote:
>>>>>>> Can you create a JIRA for it please? If you fancy doing
a PR you can
>>>>>>> add the header to LoginStatusIframeEndpoint.
>>>>>>>
>>>>>>> On 14 April 2016 at 15:09, Thomas Raehalme <
>>>>>>> thomas.raehalme(a)aitiofinland.com wrote:
>>>>>>> On Thu, Apr 14, 2016 at 4:01 PM, Stian Thorgersen <
>>>>>>> sthorger(a)redhat.com wrote:
>>>>>>> What do you mean about "if the URL is something
like"?
>>>>>>>
>>>>>>> The only iframe Keycloak uses is in the JavaScript adapter
and it's
>>>>>>> only the session iframe. That would be the only place it
would be relevant
>>>>>>> for Keycloak to set P3P header, but don't think it's
need AFAIK it works
>>>>>>> just fine on IE.
>>>>>>>
>>>>>>> Sorry for being a little too vague.
>>>>>>>
>>>>>>> Among other UIs our application has a web front-end based on
>>>>>>> AngularJS and it's utilizing the JavaScript adapter for
authentication.
>>>>>>> When I login to the application I can inspect the HTML and
see an <iframe
>>>>>>> /> element with the following URL:
>>>>>>>
>>>>>>>
>>>>>>>
https://keycloak-server/auth/realms/xxxx/protocol/openid-connect/login-st...
>>>>>>>
>>>>>>> Without the P3P header there is an eternal loop between our
web
>>>>>>> front-end and Keycloak where the browser is being redirected
from one to
>>>>>>> the other. After adding the P3P header the problem was
solved.
>>>>>>>
>>>>>>> Best regards,
>>>>>>> Thomas
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ________________________________
>>>>>>>
>>>>>>> Tämä sähköpostiviesti (liitteineen) saattaa sisältää
>>>>>>> luottamuksellista tietoa, joka on tarkoitettu
>>>>>>> vain vastaanottajalleen. Jos et ole oikea vastaanottaja,
ilmoita
>>>>>>> viestin lähettäjälle tapahtuneesta
>>>>>>> virheestä ja tuhoa viesti välittömästi. Viestin luvaton
>>>>>>> julkaiseminen, kopioiminen, jakelu tai muu
>>>>>>> käyttö tai toimenpiteisiin ryhtyminen sen perusteella on
>>>>>>> ehdottomasti kielletty.
>>>>>>>
>>>>>>> This message (including any attachments) may contain
confidential
>>>>>>> information intended for
>>>>>>> the person or entity to which it is addressed. If you are not
the
>>>>>>> intended recipient, notify the
>>>>>>> sender and delete this message immediately. Notice that
disclosing,
>>>>>>> copying, distributing or any
>>>>>>> other use of the message and its information, or taking any
action
>>>>>>> based on it, is strictly prohibited.
>>>>>>>
>>>>>>> ________________________________
>>>>>>>
>>>>>>
>>>>>>
>>>>
>>
>
>
10:09 a.m.
Hello,
sorry for digging this old thread out but I just stumbled over this again.
I found some Keycloak deployments in the wild which explicitly set the
P3P Header to:
P3P:CP="CAO PSA OUR"
This seems to work fine with IE and is a valid P3P header.
See also:
http://stackoverflow.com/questions/5257983/what-does-headerp3p-cp-cao-psa...
I wonder whether this would make a better default setting for the
p3pPolicy setting in
themes/src/main/resources/theme/base/login/messages/messages_*.properties
than the current value of:
p3pPolicy=CP="This is not a P3P policy!"
Cheers,
Thomas
2016-04-15 15:24 GMT+02:00 Stian Thorgersen <sthorger(a)redhat.com>:
No, but feel free to add one to the new testsuite :)
On 15 April 2016 at 14:46, Thomas Raehalme <thomas.raehalme@aitiofinland.
com> wrote:
>
> On Thu, Apr 14, 2016 at 5:11 PM, Stian Thorgersen <sthorger(a)redhat.com>
> wrote:
>
>> I think we need to make it configurable. Could use messages from login
>> theme as a simple solution?
>>
>> sessionIframeP3P=CP="This is not a P3P policy!"
>>
>
> Using theme properties was a good idea.
>
> Is there an existing test I could extend to verify the presence of the
> header?
>
>
>
>
>
>> On 14 April 2016 at 16:06, Thomas Raehalme <
>> thomas.raehalme(a)aitiofinland.com> wrote:
>>
>>> Well I didn't mean exactly the same message with a link and everything,
>>> but just something like "This is not a policy definition."
>>>
>>> Best regards,
>>> Thomas
>>> On Apr 14, 2016 17:03, "Stian Thorgersen"
<sthorger(a)redhat.com> wrote:
>>>
>>>> I don't think the Google way is good for us as we'd need to have
a
>>>> similar page. Further, it wouldn't be correct to have a Keycloak page
that
>>>> describes the policy for other companies. So we need to figure out what
the
>>>> correct value should be I think.
>>>>
>>>> On 14 April 2016 at 16:00, Thomas Raehalme <
>>>> thomas.raehalme(a)aitiofinland.com> wrote:
>>>>
>>>>> W3C has the spec but since nobody is really using this I don't
think
>>>>> the value matters. But instead of making up some policy definition I
think
>>>>> that the Google way would be the best. What do you think?
>>>>>
>>>>> Best regards,
>>>>> Thomas
>>>>> On Apr 14, 2016 16:54, "Stian Thorgersen"
<sthorger(a)redhat.com>
>>>>> wrote:
>>>>>
>>>>>> I've got no clue what the value should be, tried to search
on
>>>>>> Google, but doesn't make much sense to me.
>>>>>>
>>>>>> On 14 April 2016 at 15:30, Jukka Sirviö
<Jukka.Sirvio(a)mipro.fi>
>>>>>> wrote:
>>>>>>
>>>>>>> there is discussion on this issue, also on stack overflow
>>>>>>> http://stackoverflow.com/questions/32120129/keycloak-
>>>>>>> is-causing-ie-to-have-an-infinite-loop
>>>>>>>
>>>>>>> “Header always set P3P "CP=ALL DSP COR CUR ADM PSA CONi
OUR SAM OTR
>>>>>>> UNR LEG"”
>>>>>>>
>>>>>>>
>>>>>>> Lähettäjä: keycloak-user-bounces(a)lists.jboss.org [mailto:
>>>>>>> keycloak-user-bounces(a)lists.jboss.org] Puolesta Thomas
Raehalme
>>>>>>> Lähetetty: 14. huhtikuuta 2016 16:22
>>>>>>> Vastaanottaja: Stian Thorgersen
>>>>>>> Kopio: keycloak-user
>>>>>>> Aihe: Re: [keycloak-user] JavaScript client, iframe and IE
>>>>>>>
>>>>>>> I created KEYCLOAK-2828 for this issue and will do a PR as
well.
>>>>>>>
>>>>>>> What do you think the value should be? As I wrote earlier it
does
>>>>>>> not seem to make a difference to IE.
>>>>>>>
>>>>>>> Best regards,
>>>>>>> Thomas
>>>>>>>
>>>>>>>
>>>>>>> On Thu, Apr 14, 2016 at 4:16 PM, Stian Thorgersen <
>>>>>>> sthorger(a)redhat.com> wrote:
>>>>>>> Can you create a JIRA for it please? If you fancy doing a PR
you
>>>>>>> can add the header to LoginStatusIframeEndpoint.
>>>>>>>
>>>>>>> On 14 April 2016 at 15:09, Thomas Raehalme <
>>>>>>> thomas.raehalme(a)aitiofinland.com> wrote:
>>>>>>> On Thu, Apr 14, 2016 at 4:01 PM, Stian Thorgersen <
>>>>>>> sthorger(a)redhat.com> wrote:
>>>>>>> What do you mean about "if the URL is something
like"?
>>>>>>>
>>>>>>> The only iframe Keycloak uses is in the JavaScript adapter
and it's
>>>>>>> only the session iframe. That would be the only place it
would be relevant
>>>>>>> for Keycloak to set P3P header, but don't think it's
need AFAIK it works
>>>>>>> just fine on IE.
>>>>>>>
>>>>>>> Sorry for being a little too vague.
>>>>>>>
>>>>>>> Among other UIs our application has a web front-end based on
>>>>>>> AngularJS and it's utilizing the JavaScript adapter for
authentication.
>>>>>>> When I login to the application I can inspect the HTML and
see an <iframe
>>>>>>> /> element with the following URL:
>>>>>>>
>>>>>>> https://keycloak-server/auth/realms/xxxx/protocol/openid-
>>>>>>>
connect/login-status-iframe.html?client_id=xxxx&origin=xxxx
>>>>>>>
>>>>>>> Without the P3P header there is an eternal loop between our
web
>>>>>>> front-end and Keycloak where the browser is being redirected
from one to
>>>>>>> the other. After adding the P3P header the problem was
solved.
>>>>>>>
>>>>>>> Best regards,
>>>>>>> Thomas
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ________________________________
>>>>>>>
>>>>>>> Tämä sähköpostiviesti (liitteineen) saattaa sisältää
>>>>>>> luottamuksellista tietoa, joka on tarkoitettu
>>>>>>> vain vastaanottajalleen. Jos et ole oikea vastaanottaja,
ilmoita
>>>>>>> viestin lähettäjälle tapahtuneesta
>>>>>>> virheestä ja tuhoa viesti välittömästi. Viestin luvaton
>>>>>>> julkaiseminen, kopioiminen, jakelu tai muu
>>>>>>> käyttö tai toimenpiteisiin ryhtyminen sen perusteella on
>>>>>>> ehdottomasti kielletty.
>>>>>>>
>>>>>>> This message (including any attachments) may contain
confidential
>>>>>>> information intended for
>>>>>>> the person or entity to which it is addressed. If you are not
the
>>>>>>> intended recipient, notify the
>>>>>>> sender and delete this message immediately. Notice that
disclosing,
>>>>>>> copying, distributing or any
>>>>>>> other use of the message and its information, or taking any
action
>>>>>>> based on it, is strictly prohibited.
>>>>>>>
>>>>>>> ________________________________
>>>>>>>
>>>>>>
>>>>>>
>>>>
>>
>
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
9:02 a.m.
We can't do that as the P3P policy is a legal policy that has to be set by
each company themselves and we can't just set something on their behalf in
Keycloak. That's why the default just says this is not a p3p policy, which
disables the whole thing. It's a stupid header that should never have been
allowed to exist at all.
On 19 March 2017 at 10:09, Thomas Darimont <thomas.darimont(a)googlemail.com>
wrote:
Hello,
sorry for digging this old thread out but I just stumbled over this again.
I found some Keycloak deployments in the wild which explicitly set the
P3P Header to:
P3P:CP="CAO PSA OUR"
This seems to work fine with IE and is a valid P3P header.
See also: http://stackoverflow.com/questions/5257983/what-does-
headerp3p-cp-cao-psa-our-do
I wonder whether this would make a better default setting for the
p3pPolicy setting in themes/src/main/resources/theme/base/login/messages/
messages_*.properties
than the current value of:
p3pPolicy=CP="This is not a P3P policy!"
Cheers,
Thomas
2016-04-15 15:24 GMT+02:00 Stian Thorgersen <sthorger(a)redhat.com>:
> No, but feel free to add one to the new testsuite :)
>
> On 15 April 2016 at 14:46, Thomas Raehalme <thomas.raehalme@aitiofinland.
> com> wrote:
>
>>
>> On Thu, Apr 14, 2016 at 5:11 PM, Stian Thorgersen <sthorger(a)redhat.com>
>> wrote:
>>
>>> I think we need to make it configurable. Could use messages from login
>>> theme as a simple solution?
>>>
>>> sessionIframeP3P=CP="This is not a P3P policy!"
>>>
>>
>> Using theme properties was a good idea.
>>
>> Is there an existing test I could extend to verify the presence of the
>> header?
>>
>>
>>
>>
>>
>>> On 14 April 2016 at 16:06, Thomas Raehalme <
>>> thomas.raehalme(a)aitiofinland.com> wrote:
>>>
>>>> Well I didn't mean exactly the same message with a link and
>>>> everything, but just something like "This is not a policy
definition."
>>>>
>>>> Best regards,
>>>> Thomas
>>>> On Apr 14, 2016 17:03, "Stian Thorgersen"
<sthorger(a)redhat.com> wrote:
>>>>
>>>>> I don't think the Google way is good for us as we'd need to
have a
>>>>> similar page. Further, it wouldn't be correct to have a Keycloak
page that
>>>>> describes the policy for other companies. So we need to figure out
what the
>>>>> correct value should be I think.
>>>>>
>>>>> On 14 April 2016 at 16:00, Thomas Raehalme <
>>>>> thomas.raehalme(a)aitiofinland.com> wrote:
>>>>>
>>>>>> W3C has the spec but since nobody is really using this I
don't think
>>>>>> the value matters. But instead of making up some policy
definition I think
>>>>>> that the Google way would be the best. What do you think?
>>>>>>
>>>>>> Best regards,
>>>>>> Thomas
>>>>>> On Apr 14, 2016 16:54, "Stian Thorgersen"
<sthorger(a)redhat.com>
>>>>>> wrote:
>>>>>>
>>>>>>> I've got no clue what the value should be, tried to
search on
>>>>>>> Google, but doesn't make much sense to me.
>>>>>>>
>>>>>>> On 14 April 2016 at 15:30, Jukka Sirviö
<Jukka.Sirvio(a)mipro.fi>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> there is discussion on this issue, also on stack
overflow
>>>>>>>> http://stackoverflow.com/questions/32120129/keycloak-is-
>>>>>>>> causing-ie-to-have-an-infinite-loop
>>>>>>>>
>>>>>>>> “Header always set P3P "CP=ALL DSP COR CUR ADM PSA
CONi OUR SAM
>>>>>>>> OTR UNR LEG"”
>>>>>>>>
>>>>>>>>
>>>>>>>> Lähettäjä: keycloak-user-bounces(a)lists.jboss.org
[mailto:
>>>>>>>> keycloak-user-bounces(a)lists.jboss.org] Puolesta Thomas
Raehalme
>>>>>>>> Lähetetty: 14. huhtikuuta 2016 16:22
>>>>>>>> Vastaanottaja: Stian Thorgersen
>>>>>>>> Kopio: keycloak-user
>>>>>>>> Aihe: Re: [keycloak-user] JavaScript client, iframe and
IE
>>>>>>>>
>>>>>>>> I created KEYCLOAK-2828 for this issue and will do a PR
as well.
>>>>>>>>
>>>>>>>> What do you think the value should be? As I wrote earlier
it does
>>>>>>>> not seem to make a difference to IE.
>>>>>>>>
>>>>>>>> Best regards,
>>>>>>>> Thomas
>>>>>>>>
>>>>>>>>
>>>>>>>> On Thu, Apr 14, 2016 at 4:16 PM, Stian Thorgersen <
>>>>>>>> sthorger(a)redhat.com> wrote:
>>>>>>>> Can you create a JIRA for it please? If you fancy doing a
PR you
>>>>>>>> can add the header to LoginStatusIframeEndpoint.
>>>>>>>>
>>>>>>>> On 14 April 2016 at 15:09, Thomas Raehalme <
>>>>>>>> thomas.raehalme(a)aitiofinland.com> wrote:
>>>>>>>> On Thu, Apr 14, 2016 at 4:01 PM, Stian Thorgersen <
>>>>>>>> sthorger(a)redhat.com> wrote:
>>>>>>>> What do you mean about "if the URL is something
like"?
>>>>>>>>
>>>>>>>> The only iframe Keycloak uses is in the JavaScript
adapter and
>>>>>>>> it's only the session iframe. That would be the only
place it would be
>>>>>>>> relevant for Keycloak to set P3P header, but don't
think it's need AFAIK it
>>>>>>>> works just fine on IE.
>>>>>>>>
>>>>>>>> Sorry for being a little too vague.
>>>>>>>>
>>>>>>>> Among other UIs our application has a web front-end based
on
>>>>>>>> AngularJS and it's utilizing the JavaScript adapter
for authentication.
>>>>>>>> When I login to the application I can inspect the HTML
and see an <iframe
>>>>>>>> /> element with the following URL:
>>>>>>>>
>>>>>>>>
https://keycloak-server/auth/realms/xxxx/protocol/openid-con
>>>>>>>>
nect/login-status-iframe.html?client_id=xxxx&origin=xxxx
>>>>>>>>
>>>>>>>> Without the P3P header there is an eternal loop between
our web
>>>>>>>> front-end and Keycloak where the browser is being
redirected from one to
>>>>>>>> the other. After adding the P3P header the problem was
solved.
>>>>>>>>
>>>>>>>> Best regards,
>>>>>>>> Thomas
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> ________________________________
>>>>>>>>
>>>>>>>> Tämä sähköpostiviesti (liitteineen) saattaa sisältää
>>>>>>>> luottamuksellista tietoa, joka on tarkoitettu
>>>>>>>> vain vastaanottajalleen. Jos et ole oikea vastaanottaja,
ilmoita
>>>>>>>> viestin lähettäjälle tapahtuneesta
>>>>>>>> virheestä ja tuhoa viesti välittömästi. Viestin luvaton
>>>>>>>> julkaiseminen, kopioiminen, jakelu tai muu
>>>>>>>> käyttö tai toimenpiteisiin ryhtyminen sen perusteella on
>>>>>>>> ehdottomasti kielletty.
>>>>>>>>
>>>>>>>> This message (including any attachments) may contain
confidential
>>>>>>>> information intended for
>>>>>>>> the person or entity to which it is addressed. If you are
not the
>>>>>>>> intended recipient, notify the
>>>>>>>> sender and delete this message immediately. Notice that
>>>>>>>> disclosing, copying, distributing or any
>>>>>>>> other use of the message and its information, or taking
any action
>>>>>>>> based on it, is strictly prohibited.
>>>>>>>>
>>>>>>>> ________________________________
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>
>>>
>>
>>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
2593
days inactive
2933
days old
18 comments
4 participants
participants (4)
-
Jukka Sirviö -
Stian Thorgersen -
Thomas Darimont -
Thomas Raehalme