[webappsec] call for reportURIs DOM API use cases from Hill, Brad on 2012-11-05 (public-webappsec@w3.org from November 2012)

From: Hill, Brad <bhill@paypal-inc.com>
Date: Mon, 5 Nov 2012 14:32:41 +0000
To: "Boris Zbarsky (bzbarsky@MIT.EDU)" <bzbarsky@MIT.EDU>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E2DB0D7@DEN-EXDDA-S12.corp.ebay.com>

At TPAC, we recorded Action 93, to query the list for use cases for the reportURIs portion of the CSP DOM API.

http://www.w3.org/2011/webappsec/track/actions/93

There is a side discussion happening about the proper definition of this structure which we could perhaps moot.

At TPAC, we discussed that report URIs might have potentially sensitive information, such as user or transaction-unique identifiers that would otherwise be inaccessible to the resource instantiation.  Disclosing such might allow for an attacker to identify and send misleading data to confuse report analytics.

We could not, in the meeting, identify any legitimate use cases for reportURIs.    If nobody on this list has such use cases, I suggest we should remove it.

-Brad Hill

Received on Monday, 5 November 2012 14:33:14 UTC