W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2012

Removing request-headers from CSP violation reports

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 2 Feb 2012 13:11:02 -0800
Message-ID: <CAJE5ia9TmHq7tMgXi0U-Qays=QwZp8DwZxR1_xuw6BWgDp_hwg@mail.gmail.com>
To: public-webappsec@w3.org
On the recent telecon, we discussed removing the request-headers field
from CSP violation reports.  We've seen some examples where exposing
the request headers leaks sensitive information to servers (e.g.,
https://bugzilla.mozilla.org/show_bug.cgi?id=664983).  The field
doesn't provide that much value to the server since it can always look
at the request headers that come with the violation report itself to
pick up details like the User-Agent.

I've made a provisional edit to the spec as follows:
http://dvcs.w3.org/hg/content-security-policy/rev/044c8c389ad8

We wanted to run this change by the list to make sure everyone was on board.

Thanks!
Adam
Received on Thursday, 2 February 2012 21:12:00 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 2 February 2012 21:12:00 GMT