W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2012

RE: Removing request-headers from CSP violation reports

From: Hill, Brad <bhill@paypal-inc.com>
Date: Thu, 2 Feb 2012 22:24:33 +0000
To: Adam Barth <w3c@adambarth.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E01DD2C@DEN-EXDDA-S12.corp.ebay.com>
Are Origin and/or Referer worth whitelisting to determine where requests causing violations are coming from?

> -----Original Message-----
> From: Adam Barth [mailto:w3c@adambarth.com]
> Sent: Thursday, February 02, 2012 1:11 PM
> To: public-webappsec@w3.org
> Subject: Removing request-headers from CSP violation reports
> 
> On the recent telecon, we discussed removing the request-headers field from
> CSP violation reports.  We've seen some examples where exposing the
> request headers leaks sensitive information to servers (e.g.,
> https://bugzilla.mozilla.org/show_bug.cgi?id=664983).  The field doesn't
> provide that much value to the server since it can always look at the request
> headers that come with the violation report itself to pick up details like the
> User-Agent.
> 
> I've made a provisional edit to the spec as follows:
> http://dvcs.w3.org/hg/content-security-policy/rev/044c8c389ad8
> 
> We wanted to run this change by the list to make sure everyone was on
> board.
> 
> Thanks!
> Adam
Received on Thursday, 2 February 2012 22:25:04 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 2 February 2012 22:25:05 GMT