- From: Eduardo Vela <sirdarckcat@gmail.com>
- Date: Fri, 9 Dec 2011 09:24:18 -0800
- To: Devdatta Akhawe <dev.akhawe@gmail.com>
- Cc: Jason Franklin <jfrankli@cs.cmu.edu>, public-web-security@w3.org
Received on Friday, 9 December 2011 17:24:54 UTC
Hi! We added CSP to Google+ to detect instances of Mixed Content, and with the current report data its just marginally useful. I agree with Jason. Greetngs! On Dec 8, 2011 12:29 PM, "Devdatta Akhawe" <dev.akhawe@gmail.com> wrote: > I think it is better to wait for the first revision to go live on > browsers and gather feedback from web applications that adopt CSP. It > might just turn out that needing some INSERT_SOME_IMPORTANT_SECRET > info in the report is important but could be bad to send cross-origin. > There is hardly any data/feedback right now from CSP adopters. The > next revision can add the cross-origin report capability; while other > way around might be more painful. > > --devdatta > > On 7 December 2011 17:41, Jason Franklin <jfrankli@cs.cmu.edu> wrote: > > restriction on report-uri in the CSP Specification. First, I don't > > see how the restriction defends against any reasonable adversary model > > (as Adam Barth also noted in his bugzilla post on 2011-07-18) and > > secondly, it makes it more difficult for a company to provide a > > reporting collection and analysis service. Ideally browsers could be > > instructed to send alerts back to a third-party. I would like to > > submit a request for this restriction to be removed. > > > > - Jason Franklin > > Research Associate > > Stanford University > > > > > > > > > >
Received on Friday, 9 December 2011 17:24:54 UTC