W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2012

[webappsec] call for reportURIs DOM API use cases

From: Hill, Brad <bhill@paypal-inc.com>
Date: Mon, 5 Nov 2012 14:32:41 +0000
To: "Boris Zbarsky (bzbarsky@MIT.EDU)" <bzbarsky@MIT.EDU>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E2DB0D7@DEN-EXDDA-S12.corp.ebay.com>
At TPAC, we recorded Action 93, to query the list for use cases for the reportURIs portion of the CSP DOM API.

http://www.w3.org/2011/webappsec/track/actions/93

There is a side discussion happening about the proper definition of this structure which we could perhaps moot.

At TPAC, we discussed that report URIs might have potentially sensitive information, such as user or transaction-unique identifiers that would otherwise be inaccessible to the resource instantiation.  Disclosing such might allow for an attacker to identify and send misleading data to confuse report analytics.

We could not, in the meeting, identify any legitimate use cases for reportURIs.    If nobody on this list has such use cases, I suggest we should remove it.

-Brad Hill
Received on Monday, 5 November 2012 14:33:14 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 5 November 2012 14:33:15 GMT