- From: Adam Barth <w3c@adambarth.com>
- Date: Thu, 2 Feb 2012 14:47:40 -0800
- To: "Hill, Brad" <bhill@paypal-inc.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Including the protected document's referrer seems like a good idea. I'd include it as a separate field though. Adam On Thu, Feb 2, 2012 at 2:24 PM, Hill, Brad <bhill@paypal-inc.com> wrote: > Are Origin and/or Referer worth whitelisting to determine where requests causing violations are coming from? > >> -----Original Message----- >> From: Adam Barth [mailto:w3c@adambarth.com] >> Sent: Thursday, February 02, 2012 1:11 PM >> To: public-webappsec@w3.org >> Subject: Removing request-headers from CSP violation reports >> >> On the recent telecon, we discussed removing the request-headers field from >> CSP violation reports. We've seen some examples where exposing the >> request headers leaks sensitive information to servers (e.g., >> https://bugzilla.mozilla.org/show_bug.cgi?id=664983). The field doesn't >> provide that much value to the server since it can always look at the request >> headers that come with the violation report itself to pick up details like the >> User-Agent. >> >> I've made a provisional edit to the spec as follows: >> http://dvcs.w3.org/hg/content-security-policy/rev/044c8c389ad8 >> >> We wanted to run this change by the list to make sure everyone was on >> board. >> >> Thanks! >> Adam >
Received on Thursday, 2 February 2012 22:48:39 UTC