W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2012

[webappsec] Including URI fragment in CSP reports (ACTION-43)

From: Hill, Brad <bhill@paypal-inc.com>
Date: Tue, 31 Jan 2012 00:24:50 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E01AB57@DEN-EXDDA-S12.corp.ebay.com>
On our last WG call, we raised the issue of URI fragments in CSP reports.   Currently, the specification calls for the "HTTP request line of the protected resource whose policy was violated including method, URI and HTTP version".  This would exclude URI fragments as they are not sent with the request, but processed locally in the User-Agent.  This appears to be correct behavior, as fragments are sometimes used for private context and should not leak, especially in non-same-origin reports.

I would like to propose that the spec be amended to explicitly forbid the sending of URI fragments as a clarification.  Are we aware of any cases where this prohibition would negatively impact the usefulness of the reports?

Brad Hill
Received on Tuesday, 31 January 2012 00:25:24 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 31 January 2012 00:25:25 GMT