W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2012

webappsec-ISSUE-11: Violation report privacy issues

From: Web Application Security Working Group Issue Tracker <sysbot+tracker@w3.org>
Date: Tue, 17 Jan 2012 16:41:33 +0000
To: public-webappsec@w3.org
Message-Id: <E1RnC6H-0004tu-RQ@tibor.w3.org>

webappsec-ISSUE-11: Violation report privacy issues

http://www.w3.org/2011/webappsec/track/issues/11

Raised by: Brad Hill
On product: 

Section 4.11 of Content Security Policy:

To send a violation report, the user agent must use an algorithm equivalent to the following:

1.Prepare a dictionary violation dictionary with the following keys and values: 

request    HTTP request line of the protected resource whose policy was violated including method, URI and HTTP version

request-headers        HTTP request headers sent with the request for the protected resource whose policy was violated

blocked-uri   URI of the resource that was prevented from loading due to the policy violation

violated-directive   The policy directive that was violated

original-policy       The original policy as received by the user-agent. If the policy was received via more than one Content Security Policy response header, this field must contain a comma separated list of original policies

Issue:  We might need to change some of these keys because they can leak sensitive information.
Received on Tuesday, 17 January 2012 16:41:36 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 17 January 2012 16:41:36 GMT