W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2012

Re: Two questions about violation reports

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 2 Feb 2012 14:51:12 -0800
Message-ID: <CAJE5ia_Cv2rXn_scXSmAPwOdug1s_BpvsYWPsoZOGCAjEXpQcg@mail.gmail.com>
To: "Hill, Brad" <bhill@paypal-inc.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Feb 2, 2012 at 2:26 PM, Hill, Brad <bhill@paypal-inc.com> wrote:
>> The |request| field in the violation report is defined as the "HTTP request
>> line of the protected resource whose policy was violated including method,
>> URI and HTTP version".  However, this seems like an odd layering violation.
>> For example, why does the server care about the HTTP version?  It seems like
>> a more useful field would just be the URI of the protected document.
>>
>> B) Should we remove the |request| field in place of a |document-uri| field
>> containing the document's URI?  (Recommendation: Yes)
>
> [Hill, Brad]
>
> 1) I think we need clear language about URI fragments in this case.  They are not part of the HTTP request, but they are part of the URI as seen by the User-Agent.
>
> I think the current state of discussion is that the fragment may be desirable as part of violation reports (as it is a frequent carrier for DOMXSS payloads) but should be an OPTIONAL report feature. (and therefore version 1.1)  For version 1.0, the existence of architectures such as web-keys (http://waterken.sourceforge.net/web-key/) that depend on the existing semantics of fragments and their (non-)transmission on the network, we probably should exclude them.

Yeah, that's a good point.  We should probably strip out the fragment
from all the URIs in the reports (e.g., including the blocked-uri).

Adam
Received on Thursday, 2 February 2012 22:52:10 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 2 February 2012 22:52:11 GMT