W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2012

Re: [webappsec] Including URI fragment in CSP reports (ACTION-43)

From: Giorgio Maone <g.maone@informaction.com>
Date: Tue, 31 Jan 2012 09:29:29 +0100
Message-ID: <4F27A669.3010305@informaction.com>
To: "Steingruebl, Andy" <asteingruebl@paypal-inc.com>
CC: "Hill, Brad" <bhill@paypal-inc.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
IMHO making fragment logging an *opt-in* feature of CSP reports would 
make them considerably more useful than plain HTTP logs in analyzing the 
actual intent of some DOM XSS attempts, but also of two-stages reflected 
XSS attacks like

http://acme.com/?xss=<script>eval(unescape(location))</script>#%0Aalert("surprise")

where the actual payload would be otherwise undetectable.

--
Giorgio Maone
Received on Tuesday, 31 January 2012 08:29:56 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 31 January 2012 08:29:57 GMT