W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2012

Re: Removing request-headers from CSP violation reports

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 2 Feb 2012 14:47:40 -0800
Message-ID: <CAJE5ia-ZigCDrJ_S4yVA=+C8+maVcX_sZLzK0gBmB1as3RzhrA@mail.gmail.com>
To: "Hill, Brad" <bhill@paypal-inc.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Including the protected document's referrer seems like a good idea.
I'd include it as a separate field though.

Adam


On Thu, Feb 2, 2012 at 2:24 PM, Hill, Brad <bhill@paypal-inc.com> wrote:
> Are Origin and/or Referer worth whitelisting to determine where requests causing violations are coming from?
>
>> -----Original Message-----
>> From: Adam Barth [mailto:w3c@adambarth.com]
>> Sent: Thursday, February 02, 2012 1:11 PM
>> To: public-webappsec@w3.org
>> Subject: Removing request-headers from CSP violation reports
>>
>> On the recent telecon, we discussed removing the request-headers field from
>> CSP violation reports.  We've seen some examples where exposing the
>> request headers leaks sensitive information to servers (e.g.,
>> https://bugzilla.mozilla.org/show_bug.cgi?id=664983).  The field doesn't
>> provide that much value to the server since it can always look at the request
>> headers that come with the violation report itself to pick up details like the
>> User-Agent.
>>
>> I've made a provisional edit to the spec as follows:
>> http://dvcs.w3.org/hg/content-security-policy/rev/044c8c389ad8
>>
>> We wanted to run this change by the list to make sure everyone was on
>> board.
>>
>> Thanks!
>> Adam
>
Received on Thursday, 2 February 2012 22:48:39 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 2 February 2012 22:48:40 GMT