[keycloak-user] JavaScript client, iframe and IE

Stian Thorgersen sthorger at redhat.com
Mon Mar 20 04:02:58 EDT 2017 

We can't do that as the P3P policy is a legal policy that has to be set by
each company themselves and we can't just set something on their behalf in
Keycloak. That's why the default just says this is not a p3p policy, which
disables the whole thing. It's a stupid header that should never have been
allowed to exist at all.

On 19 March 2017 at 10:09, Thomas Darimont <thomas.darimont at googlemail.com>
wrote:

> Hello,
>
> sorry for digging this old thread out but I just stumbled over this again.
> I found some Keycloak deployments in the wild which explicitly set the
> P3P Header to:
> P3P:CP="CAO PSA OUR"
>
> This seems to work fine with IE and is a valid P3P header.
>
> See also: http://stackoverflow.com/questions/5257983/what-does-
> headerp3p-cp-cao-psa-our-do
>
> I wonder whether this would make a better default setting for the
> p3pPolicy setting in themes/src/main/resources/theme/base/login/messages/
> messages_*.properties
> than the current value of:
> p3pPolicy=CP="This is not a P3P policy!"
>
> Cheers,
> Thomas
>
> 2016-04-15 15:24 GMT+02:00 Stian Thorgersen <sthorger at redhat.com>:
>
>> No, but feel free to add one to the new testsuite :)
>>
>> On 15 April 2016 at 14:46, Thomas Raehalme <thomas.raehalme at aitiofinland.
>> com> wrote:
>>
>>>
>>> On Thu, Apr 14, 2016 at 5:11 PM, Stian Thorgersen <sthorger at redhat.com>
>>> wrote:
>>>
>>>> I think we need to make it configurable. Could use messages from login
>>>> theme as a simple solution?
>>>>
>>>> sessionIframeP3P=CP="This is not a P3P policy!"
>>>>
>>>
>>> Using theme properties was a good idea.
>>>
>>> Is there an existing test I could extend to verify the presence of the
>>> header?
>>>
>>>
>>>
>>>
>>>
>>>> On 14 April 2016 at 16:06, Thomas Raehalme <
>>>> thomas.raehalme at aitiofinland.com> wrote:
>>>>
>>>>> Well I didn't mean exactly the same message with a link and
>>>>> everything, but just something like "This is not a policy definition."
>>>>>
>>>>> Best regards,
>>>>> Thomas
>>>>> On Apr 14, 2016 17:03, "Stian Thorgersen" <sthorger at redhat.com> wrote:
>>>>>
>>>>>> I don't think the Google way is good for us as we'd need to have a
>>>>>> similar page. Further, it wouldn't be correct to have a Keycloak page that
>>>>>> describes the policy for other companies. So we need to figure out what the
>>>>>> correct value should be I think.
>>>>>>
>>>>>> On 14 April 2016 at 16:00, Thomas Raehalme <
>>>>>> thomas.raehalme at aitiofinland.com> wrote:
>>>>>>
>>>>>>> W3C has the spec but since nobody is really using this I don't think
>>>>>>> the value matters. But instead of making up some policy definition I think
>>>>>>> that the Google way would be the best. What do you think?
>>>>>>>
>>>>>>> Best regards,
>>>>>>> Thomas
>>>>>>> On Apr 14, 2016 16:54, "Stian Thorgersen" <sthorger at redhat.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> I've got no clue what the value should be, tried to search on
>>>>>>>> Google, but doesn't make much sense to me.
>>>>>>>>
>>>>>>>> On 14 April 2016 at 15:30, Jukka Sirviö <Jukka.Sirvio at mipro.fi>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> there is discussion on this issue, also on stack overflow
>>>>>>>>> http://stackoverflow.com/questions/32120129/keycloak-is-
>>>>>>>>> causing-ie-to-have-an-infinite-loop
>>>>>>>>>
>>>>>>>>> “Header always set P3P "CP=ALL DSP COR CUR ADM PSA CONi OUR SAM
>>>>>>>>> OTR UNR LEG"”
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Lähettäjä: keycloak-user-bounces at lists.jboss.org [mailto:
>>>>>>>>> keycloak-user-bounces at lists.jboss.org] Puolesta Thomas Raehalme
>>>>>>>>> Lähetetty: 14. huhtikuuta 2016 16:22
>>>>>>>>> Vastaanottaja: Stian Thorgersen
>>>>>>>>> Kopio: keycloak-user
>>>>>>>>> Aihe: Re: [keycloak-user] JavaScript client, iframe and IE
>>>>>>>>>
>>>>>>>>> I created KEYCLOAK-2828 for this issue and will do a PR as well.
>>>>>>>>>
>>>>>>>>> What do you think the value should be? As I wrote earlier it does
>>>>>>>>> not seem to make a difference to IE.
>>>>>>>>>
>>>>>>>>> Best regards,
>>>>>>>>> Thomas
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Thu, Apr 14, 2016 at 4:16 PM, Stian Thorgersen <
>>>>>>>>> sthorger at redhat.com> wrote:
>>>>>>>>> Can you create a JIRA for it please? If you fancy doing a PR you
>>>>>>>>> can add the header to LoginStatusIframeEndpoint.
>>>>>>>>>
>>>>>>>>> On 14 April 2016 at 15:09, Thomas Raehalme <
>>>>>>>>> thomas.raehalme at aitiofinland.com> wrote:
>>>>>>>>> On Thu, Apr 14, 2016 at 4:01 PM, Stian Thorgersen <
>>>>>>>>> sthorger at redhat.com> wrote:
>>>>>>>>> What do you mean about "if the URL is something like"?
>>>>>>>>>
>>>>>>>>> The only iframe Keycloak uses is in the JavaScript adapter and
>>>>>>>>> it's only the session iframe. That would be the only place it would be
>>>>>>>>> relevant for Keycloak to set P3P header, but don't think it's need AFAIK it
>>>>>>>>> works just fine on IE.
>>>>>>>>>
>>>>>>>>> Sorry for being a little too vague.
>>>>>>>>>
>>>>>>>>> Among other UIs our application has a web front-end based on
>>>>>>>>> AngularJS and it's utilizing the JavaScript adapter for authentication.
>>>>>>>>> When I login to the application I can inspect the HTML and see an <iframe
>>>>>>>>> /> element with the following URL:
>>>>>>>>>
>>>>>>>>> https://keycloak-server/auth/realms/xxxx/protocol/openid-con
>>>>>>>>> nect/login-status-iframe.html?client_id=xxxx&origin=xxxx
>>>>>>>>>
>>>>>>>>> Without the P3P header there is an eternal loop between our web
>>>>>>>>> front-end and Keycloak where the browser is being redirected from one to
>>>>>>>>> the other. After adding the P3P header the problem was solved.
>>>>>>>>>
>>>>>>>>> Best regards,
>>>>>>>>> Thomas
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ________________________________
>>>>>>>>>
>>>>>>>>> Tämä sähköpostiviesti (liitteineen) saattaa sisältää
>>>>>>>>> luottamuksellista tietoa, joka on tarkoitettu
>>>>>>>>> vain vastaanottajalleen. Jos et ole oikea vastaanottaja, ilmoita
>>>>>>>>> viestin lähettäjälle tapahtuneesta
>>>>>>>>> virheestä ja tuhoa viesti välittömästi. Viestin luvaton
>>>>>>>>> julkaiseminen, kopioiminen, jakelu tai muu
>>>>>>>>> käyttö tai toimenpiteisiin ryhtyminen sen perusteella on
>>>>>>>>> ehdottomasti kielletty.
>>>>>>>>>
>>>>>>>>> This message (including any attachments) may contain confidential
>>>>>>>>> information intended for
>>>>>>>>> the person or entity to which it is addressed. If you are not the
>>>>>>>>> intended recipient, notify the
>>>>>>>>> sender and delete this message immediately. Notice that
>>>>>>>>> disclosing, copying, distributing or any
>>>>>>>>> other use of the message and its information, or taking any action
>>>>>>>>> based on it, is strictly prohibited.
>>>>>>>>>
>>>>>>>>> ________________________________
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>
>>>>
>>>
>>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

More information about the keycloak-user mailing list