W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2012

Re: Removing the same(ish) origin restriction on report-uri

From: Ware, Ryan R <ryan.r.ware@intel.com>
Date: Tue, 28 Feb 2012 12:27:25 +0900
Message-ID: <CAGGTEhP+MVEBXS6aeYtnH_=sZODcm9Ge9yLZ9wS0QpkuKJ6hyw@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: public-webappsec@w3.org
On Tue, Feb 28, 2012 at 10:01 AM, Adam Barth <w3c@adambarth.com> wrote:

> I went through all the feedback on CSP violation reports today and
> made a bunch of edits based on our previous discussions.  I wanted to
> re-confirm one of those edits with the list:
>
> http://dvcs.w3.org/hg/content-security-policy/rev/275074d083aa
>
> In that edit, I've removed the restriction that the report-uri needs
> to have the same scheme, port, and registry-controlled domain as the
> document-uri.  Originally, we had this restriction because the
> violation reports contained sensitive information, such as
> request-headers.  Since then, we've changed the form of the violation
> reports a bit so that there isn't nearly as much sensitive information
> in the reports (which means we can remove the "ugly" dependency on the
> public suffix list).
>

Can we get an explicit list of which portions of the reports might still
contain sensitive information to better judge if the change is appropriate?

Ryan


> This edit seems consistent with our April 2011 discussions on this
> topic, but since that was a while ago, I wanted to re-confirm with the
> list.
>
> Thanks!
> Adam
>
>
Received on Tuesday, 28 February 2012 03:38:22 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 28 February 2012 03:38:22 GMT