W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2012

Line numbers in Content Security Policy reports

From: Neil Matatall <neilm@twitter.com>
Date: Fri, 14 Dec 2012 11:50:27 -0800
Message-ID: <CAOFLtbj_S-jWZxWSuPt6R+R9WpmjCmEJnD5AB6X9hAO=3RTjJQ@mail.gmail.com>
To: public-webappsec@w3.org
If inline script is disallowed and I receive a report saying that the
script-src directive was violated which indicates javascript has been
injected (or pre-existing) on a page, I would like to know where the code
lives. Knowing this can help you determine where your existing inline
script lives as well as give you hints as to how the script may have been
injected if no inline script was expected.

I would like to propose that we add the line number as part of the 1.1
spec. Thoughts?
Received on Friday, 14 December 2012 22:40:25 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 14 December 2012 22:40:26 GMT