W3C home > Mailing lists > Public > public-web-security@w3.org > December 2011

Re: Request for Change to CSP Specification

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Fri, 9 Dec 2011 21:45:48 -0800
Message-ID: <CAPfop_1TsDjzgRoJW=0othbea7=SxoaC-AMqQGOkOyJHUdfiuQ@mail.gmail.com>
To: "sird@rckc.at" <sird@rckc.at>
Cc: Daniel Veditz <dveditz@mozilla.com>, Jason Franklin <jfrankli@cs.cmu.edu>, public-web-security@w3.org
I am starting a new thread about the data that a report should
generate based on your feedback. This is great feedback that I am sure
the list would love to learn from.

But, for this thread, would the ability to send the report cross
origin matter at all?

I feel like the need for more possibly-secret data means you wouldn't
want the ability to send cross-origin reports.


-devdatta

On 9 December 2011 20:50, sird@rckc.at <sird@rckc.at> wrote:
> For instance, what was the URL that triggered the mixed content warning.
> What we get now is "violated directive default-src 'unsafe-inline'
> 'unsafe-eval'".
>
> Something like..
>
> tagName=iframe&url=http://www.youtube.com/html5/xx11111
>
> Would help us know it was a youtube video.
>
> For XSS, perhaps someone forgot to allow the Google's JSAPI:
>
> tagName=script&url=http://www.google.com/jsapi
>
> And while that would be enough for the Mixed Content use case, for other use
> cases we've tried to use it (Like GMail+XSS for example), we might even need
> a stack trace.
>
> I remember someone (probably Adam?) was proposing triggering a DOM event (on
> top of the report-uri). If that contains more information it would be enough
> at least for us.
>
> Greetings!!
>
> -- Eduardo
>
>
>
>
> On Fri, Dec 9, 2011 at 6:50 PM, Daniel Veditz <dveditz@mozilla.com> wrote:
>>
>> > We added CSP to Google+ to detect instances of Mixed Content, and with
>> > the current report data its just marginally useful.
>> >
>> > I agree with Jason.
>>
>> What improvements would you like to see in the report data? I don't see
>> how the ability to send "marginally useful" data somewhere new solves your
>> problem.
>>
>> -Dan Veditz
>
>
Received on Saturday, 10 December 2011 05:46:37 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 10 December 2011 05:46:37 GMT