[keycloak-dev] Avoid older user agents?
Stian Thorgersen
stian at redhat.com
Wed Aug 7 04:45:57 EDT 2013
----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Gabriel Cardoso" <gcardoso at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Tuesday, 6 August, 2013 5:04:39 PM
> Subject: Re: [keycloak-dev] Avoid older user agents?
>
> For SSO login, we should support as old as possible (no javascript,
> backward compatible to HTML 4? 3? 2? I don't know you tell me....).
HTML4 transitional is fine, pretty much covers 99.9999% of browsers in use today. We can use JavaScript as long as it's progressive enhancements (for example autofocus or placeholder replacement). The biggest issue is around css/style and testing that it's "pixel perfect", there's several websites out there that can help with this. There may be an official list of browsers Redhat supports, but I would think recent versions of Chrome, Firefox, Safari, Opera (these are all generally updated and there's very few old versions around). For IE6 is announced dead by MS themselves, and IE7 has a relatively low usage, so I would think IE8 is sufficient. That's not to say it won't work with older browsers, it may just look a bit crap.
>
> For admin UI, we can be more restrictive, IMO. The admin UI, is not
> just a UI though. It is a set of REST services that can be called from
> javascript (or whatever langage/platform you want). For security
> reasons we might want to restrict the types of browsers that can make
> these REST requests.
I'm wondering if limiting on agent header is false security as it can be easily changed.
Checking user agent before setting HttpOnly is also IMO not necessary as most browsers do (in fact IE does all the way back to 6 and Firefox to 3!). Anyone that still uses a browser that doesn't support it today are using a heavily out of date (and unsupported browser) so it will be riddled with vulnerabilities in any case.
>
> On 8/6/2013 10:14 AM, Gabriel Cardoso wrote:
> > An important question is to define which older browsers we have to support.
> > Does Red Hat have a list of them? Who defines this?
> >
> > Gabriel
> >
> > On Aug 6, 2013, at 10:24 AM, Bill Burke wrote:
> >
> >> Older browsers don't support HttpOnly cookies, right? So, maybe we
> >> don't set login cookies for these older browsers. For SSO, this will
> >> require a relogin every time. For the admin UI, we just won't allow
> >> interaction with older browsers. We'll do this by checking the
> >> User-Agent header.
> >>
> >> https://issues.jboss.org/browse/KEYCLOAK-23
> >> --
> >> Bill Burke
> >> JBoss, a division of Red Hat
> >> http://bill.burkecentral.com
> >> _______________________________________________
> >> keycloak-dev mailing list
> >> keycloak-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
More information about the keycloak-dev
mailing list