W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2012

webappsec-ISSUE-12: Should 'self' be required to be replaced by explict host in reports?

From: Web Application Security Working Group Issue Tracker <sysbot+tracker@w3.org>
Date: Tue, 17 Jan 2012 16:42:36 +0000
To: public-webappsec@w3.org
Message-Id: <E1RnC7I-0004u6-73@tibor.w3.org>

webappsec-ISSUE-12: Should 'self' be required to be replaced by explict host in reports?

http://www.w3.org/2011/webappsec/track/issues/12

Raised by: Brad Hill
On product: 

Section 5.3 of CSP:

In the above sample report the violated-directive field was sent in the way it was interpreted by the user-agent. The directive was made explicit by replacing the keyword 'self' with the explicit host name of the protected resource. This is recommended behavior for user-agents as it reduces ambiguity, making policy violations easier to trace by server admins.

Issue:
Should we add this as a requirement when preparing reports?
Received on Tuesday, 17 January 2012 16:42:37 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 17 January 2012 16:42:37 GMT