W3C home > Mailing lists > Public > public-web-security@w3.org > December 2011

Request for Change to CSP Specification

From: Jason Franklin <jfrankli@cs.cmu.edu>
Date: Wed, 7 Dec 2011 17:41:22 -0800
Message-ID: <CABeX1wW=ycaizaRxoNE=P=bFFPuUTyLUnpcQOc9WkN0BN_HTWg@mail.gmail.com>
To: public-web-security@w3.org 
restriction on report-uri in the CSP Specification.  First, I don't
see how the restriction defends against any reasonable adversary model
(as Adam Barth also noted in his bugzilla post on 2011-07-18) and
secondly, it makes it more difficult for a company to provide a
reporting collection and analysis service. Ideally browsers could be
instructed to send alerts back to a third-party.  I would like to
submit a request for this restriction to be removed.

- Jason Franklin
Research Associate
Stanford University
Received on Thursday, 8 December 2011 19:27:59 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 8 December 2011 19:28:00 GMT