W3C home > Mailing lists > Public > public-web-security@w3.org > December 2011

Re: Request for Change to CSP Specification

From: <sird@rckc.at>
Date: Fri, 9 Dec 2011 20:50:23 -0800
Message-ID: <CACSvzRxFHXpavJvWEnJQG0bAHETt6c4m5T9orLN5EC95OKKzCQ@mail.gmail.com>
To: Daniel Veditz <dveditz@mozilla.com>
Cc: Jason Franklin <jfrankli@cs.cmu.edu>, public-web-security@w3.org, Devdatta Akhawe <dev.akhawe@gmail.com>
For instance, what was the URL that triggered the mixed content warning.
What we get now is "violated directive default-src 'unsafe-inline'
'unsafe-eval'".

Something like..

tagName=iframe&url=http://www.youtube.com/html5/xx11111

Would help us know it was a youtube video.

For XSS, perhaps someone forgot to allow the Google's JSAPI:

tagName=script&url=http://www.google.com/jsapi

And while that would be enough for the Mixed Content use case, for other
use cases we've tried to use it (Like GMail+XSS for example), we might even
need a stack trace.

I remember someone (probably Adam?) was proposing triggering a DOM event
(on top of the report-uri). If that contains more information it would be
enough at least for us.

Greetings!!

-- Eduardo



On Fri, Dec 9, 2011 at 6:50 PM, Daniel Veditz <dveditz@mozilla.com> wrote:

> > We added CSP to Google+ to detect instances of Mixed Content, and with
> > the current report data its just marginally useful.
> >
> > I agree with Jason.
>
> What improvements would you like to see in the report data? I don't see
> how the ability to send "marginally useful" data somewhere new solves your
> problem.
>
> -Dan Veditz
>
Received on Saturday, 10 December 2011 04:51:12 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 10 December 2011 04:51:12 GMT