W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2012

Re: Line numbers in Content Security Policy reports

From: Mike West <mkwst@google.com>
Date: Tue, 18 Dec 2012 06:50:28 -0800
Message-ID: <CAKXHy=eg0Cu4MfHg5M+Led0na8MAFMJ7S1T_0g3TEvQh_TsA0Q@mail.gmail.com>
To: Neil Matatall <neilm@twitter.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, "dveditz@mozilla.com" <dveditz@mozilla.com>, Tanvi Vyas <tanvi@mozilla.com>, Ian Melven <imelven@mozilla.com>
Thanks Neil!

In the general case, I think this is a good idea. I'm not convinced that
giving you X characters of context is helpful, but a line-number (or
perhaps a function name or call stack?) would probably be quite useful.

The only complication I see is the potential privacy impact of revealing
code that an extension or add-on has injected. Ideally, of course,
extensions would bypass a page's CSP, but that isn't currently the case,
despite ongoing work in that direction.

Are there other objections to adding this sort of context? Dan, Tanvi, Ian,
perhaps you could give some feedback regarding Mozilla's current
implementation, which does provide some of this information already?

WDYT?

-mike

--
Mike West <mkwst@google.com>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91



On Fri, Dec 14, 2012 at 11:50 AM, Neil Matatall <neilm@twitter.com> wrote:

> If inline script is disallowed and I receive a report saying that the
> script-src directive was violated which indicates javascript has been
> injected (or pre-existing) on a page, I would like to know where the code
> lives. Knowing this can help you determine where your existing inline
> script lives as well as give you hints as to how the script may have been
> injected if no inline script was expected.
>
> I would like to propose that we add the line number as part of the 1.1
> spec. Thoughts?
>
Received on Tuesday, 18 December 2012 14:51:16 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 18 December 2012 14:51:17 GMT