W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2012

Removing the same(ish) origin restriction on report-uri

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 27 Feb 2012 17:01:10 -0800
Message-ID: <CAJE5ia_VYyqJo-8JWdRiZpPfDvzLxQtNUpVttHGHrqVh2qaEfw@mail.gmail.com>
To: public-webappsec@w3.org
I went through all the feedback on CSP violation reports today and
made a bunch of edits based on our previous discussions.  I wanted to
re-confirm one of those edits with the list:

http://dvcs.w3.org/hg/content-security-policy/rev/275074d083aa

In that edit, I've removed the restriction that the report-uri needs
to have the same scheme, port, and registry-controlled domain as the
document-uri.  Originally, we had this restriction because the
violation reports contained sensitive information, such as
request-headers.  Since then, we've changed the form of the violation
reports a bit so that there isn't nearly as much sensitive information
in the reports (which means we can remove the "ugly" dependency on the
public suffix list).

This edit seems consistent with our April 2011 discussions on this
topic, but since that was a while ago, I wanted to re-confirm with the
list.

Thanks!
Adam
Received on Tuesday, 28 February 2012 01:02:10 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 28 February 2012 01:02:10 GMT