W3C home > Mailing lists > Public > public-web-security@w3.org > December 2011

Re: Request for Change to CSP Specification

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Thu, 8 Dec 2011 12:28:03 -0800
Message-ID: <CAPfop_2d88BqB=NqciOA0BFJ6bY2T-_j2vwp1tfymPoqK0Q-kA@mail.gmail.com>
To: Jason Franklin <jfrankli@cs.cmu.edu>
Cc: public-web-security@w3.org
I think it is better to wait for the first revision to go live on
browsers and gather feedback from web applications that adopt CSP.  It
might just turn out that needing some INSERT_SOME_IMPORTANT_SECRET
info in the report is important but could be bad to send cross-origin.
There is hardly any data/feedback right now from CSP adopters. The
next revision can add the cross-origin report capability; while other
way around might be more painful.

--devdatta

On 7 December 2011 17:41, Jason Franklin <jfrankli@cs.cmu.edu> wrote:
> restriction on report-uri in the CSP Specification.  First, I don't
> see how the restriction defends against any reasonable adversary model
> (as Adam Barth also noted in his bugzilla post on 2011-07-18) and
> secondly, it makes it more difficult for a company to provide a
> reporting collection and analysis service. Ideally browsers could be
> instructed to send alerts back to a third-party.  I would like to
> submit a request for this restriction to be removed.
>
> - Jason Franklin
> Research Associate
> Stanford University
>
>
>
>
Received on Thursday, 8 December 2011 20:29:00 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 8 December 2011 20:29:00 GMT