W3C home > Mailing lists > Public > public-web-security@w3.org > April 2011

Re: Violation reports

From: Daniel Veditz <dveditz@mozilla.com>
Date: Fri, 29 Apr 2011 09:59:37 -0700
Message-ID: <4DBAEE79.9080101@mozilla.com>
To: Adam Barth <w3c@adambarth.com>
CC: Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
On 4/28/11 11:48 PM, Adam Barth wrote:
>> If someone has injected a URL into
>> my site the full URL could be vital clue to the attack.
> 
> A clever attacker wouldn't generated a violation report.

There are a lot of less clever attacks, and CSP is not universally
supported. The very existence of the violation report assumes there
will be something to report.

>> Can we treat the two cases differently?
>>  * if there's no redirection report the full URL, always.
>>  * if a load is blocked after redirecting, report one of
>>   a) only the origin of the blocked request as Adam proposes
>>   b) the original URL that eventually redirected and blocked
>>   c) both somehow
> 
> Treating these cases differently is too complicated.  Complexity has
> large costs and we should be judicious in its application.

If you do b) then the two cases are exactly the same: always report
the URL as it appears in the page.

This could be helpful in some cases (damn, my ad network is now
redirecting to a new affiliate--better add that) but confusing in
others (redirection due to network hijack local to the victim).

-Dan Veditz
Received on Friday, 29 April 2011 17:00:13 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 29 April 2011 17:00:14 GMT