W3C home > Mailing lists > Public > public-web-security@w3.org > April 2011

Re: Violation reports

From: Daniel Veditz <dveditz@mozilla.com>
Date: Thu, 28 Apr 2011 23:36:19 -0700
Message-ID: <4DBA5C63.4030102@mozilla.com>
To: Brandon Sterne <bsterne@mozilla.com>
CC: Adam Barth <w3c@adambarth.com>, public-web-security@w3.org
On 4/27/11 8:41 AM, Brandon Sterne wrote:
> On 04/26/2011 01:17 PM, Adam Barth wrote:
>> How about we send the full blocked-uri if it's same origin with
>> report-uri but send only the origin of blocked-uri if it's a different
>> origin?
> 
> Sounds good to me.  If there aren't objections, I'll make this change as
> well.

Minor objection here. I understand Adam's attack and privacy point,
but that applies to redirections. If someone has injected a URL into
my site the full URL could be vital clue to the attack.

Can we treat the two cases differently?
 * if there's no redirection report the full URL, always.
 * if a load is blocked after redirecting, report one of
   a) only the origin of the blocked request as Adam proposes
   b) the original URL that eventually redirected and blocked
   c) both somehow

Not sure c) fits in the currently defined report format. Failing
that I prefer b) to a). Even if it's slightly confusing ("why is
this perfectly fine URL being blocked? Oh, I've got an open
redirector on my site.") people will have a starting point in their
investigation of a blocked potential attack.

-Dan
Received on Friday, 29 April 2011 06:36:55 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 29 April 2011 06:36:56 GMT