W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2012

Batching CSP violation reports.

From: Mike West <mkwst@google.com>
Date: Mon, 5 Nov 2012 17:53:23 +0100
Message-ID: <CAKXHy=dzsxkyCNbDD409C-W_v7S-X0rJp_1VYHmP6bckgReTwQ@mail.gmail.com>
To: public-webappsec@w3.org
Cc: Alex Russell <slightlyoff@google.com>
We should probably consider allowing CSP violation reports to be batched
up. Right now we're making one HTTP POST per violation; it might be a good
idea to continue to allow that behavior, but also allow multiple
'csp-report' objects to be batched up in a single request for efficiency.

I'd suggest allowing them to be simply joined an array of such objects:

[
  {
    "csp-report": {
      "document-uri": "http://example.org/page.html",
      "referrer": "http://evil.example.com/haxor.html",
      "blocked-uri": "http://evil.example.com/image.png",
      "violated-directive": "default-src 'self'",
      "original-policy": "default-src 'self'; report-uri
http://example.org/csp-report.cgi"
    }
  },
  {
    "csp-report": {
      "document-uri": "http://example.org/page.html",
      "referrer": "http://evil.example.com/haxor.html",
      "blocked-uri": "http://evil.example.com/image.png",
      "violated-directive": "default-src 'self'",
      "original-policy": "default-src 'self'; report-uri
http://example.org/csp-report.cgi"
    }
  }
]

WDYT?

--
Mike West <mkwst@google.com>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
Received on Monday, 5 November 2012 16:54:16 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 5 November 2012 16:54:17 GMT