For instance, what was the URL that triggered the mixed content warning. What we get now is "violated directive default-src 'unsafe-inline' 'unsafe-eval'". Something like.. tagName=iframe&url=http://www.youtube.com/html5/xx11111 Would help us know it was a youtube video. For XSS, perhaps someone forgot to allow the Google's JSAPI: tagName=script&url=http://www.google.com/jsapi And while that would be enough for the Mixed Content use case, for other use cases we've tried to use it (Like GMail+XSS for example), we might even need a stack trace. I remember someone (probably Adam?) was proposing triggering a DOM event (on top of the report-uri). If that contains more information it would be enough at least for us. Greetings!! -- Eduardo On Fri, Dec 9, 2011 at 6:50 PM, Daniel Veditz <dveditz@mozilla.com> wrote: > > We added CSP to Google+ to detect instances of Mixed Content, and with > > the current report data its just marginally useful. > > > > I agree with Jason. > > What improvements would you like to see in the report data? I don't see > how the ability to send "marginally useful" data somewhere new solves your > problem. > > -Dan Veditz >
Received on Saturday, 10 December 2011 04:51:12 UTC