W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2012

Two questions about violation reports

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 2 Feb 2012 14:08:03 -0800
Message-ID: <CAJE5ia8yLz9SX5=kx4+Szvk95K=h+LcqGBF5pSq57XaB4eSSYg@mail.gmail.com>
To: public-webappsec@w3.org
Looking at our open issues regarding violation reports, it looks like
there are a couple thing we can improve.

== ISSUE-12 ==

In the example text in Section 5.2 contains the following text:

---8<---
In the above sample report the violated-directive field was sent in
the way it was interpreted by the user-agent. The directive was made
explicit by replacing the keyword 'self' with the explicit host name
of the protected resource. This is recommended behavior for
user-agents as it reduces ambiguity, making policy violations easier
to trace by server admins.
--->8---

but the instructions for sending a violation report don't including
this instruction.  Presumably this transformation shouldn't be
optional for user agents.

A) Should the |violated-directive| field in the violation report be
the text of the violation verbatim from the policy or should the
'self' terms be replaced with the origin of the protected document?
(Recommendation: Verbatim)

== request ==

The |request| field in the violation report is defined as the "HTTP
request line of the protected resource whose policy was violated
including method, URI and HTTP version".  However, this seems like an
odd layering violation.  For example, why does the server care about
the HTTP version?  It seems like a more useful field would just be the
URI of the protected document.

B) Should we remove the |request| field in place of a |document-uri|
field containing the document's URI?  (Recommendation: Yes)

Adam
Received on Thursday, 2 February 2012 22:09:09 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 2 February 2012 22:09:09 GMT