W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2012

Re: Batching CSP violation reports.

From: Ian Melven <imelven@mozilla.com>
Date: Mon, 5 Nov 2012 09:03:10 -0800 (PST)
To: Mike West <mkwst@google.com>
Cc: Alex Russell <slightlyoff@google.com>, public-webappsec@w3.org
Message-ID: <411965093.4906565.1352134990913.JavaMail.root@mozilla.com>

Great suggestion. A couple weeks ago at OWASP AppSec USA, I received feedback from a few different sites who are implementing
CSP to various degrees. The amount of violation report messages received was raised as an issue
multiple times, so there's at least anecdotal evidence that this is something that could be improved.

Would these be aggregated at the document-uri level ? ie all violations for a particular document
would be batched ? 

thanks for bringing this up !
ian
 

----- Original Message -----
From: "Mike West" <mkwst@google.com>
To: public-webappsec@w3.org
Cc: "Alex Russell" <slightlyoff@google.com>
Sent: Monday, November 5, 2012 8:53:23 AM
Subject: Batching CSP violation reports.



We should probably consider allowing CSP violation reports to be batched up. Right now we're making one HTTP POST per violation; it might be a good idea to continue to allow that behavior, but also allow multiple 'csp-report' objects to be batched up in a single request for efficiency. 


I'd suggest allowing them to be simply joined an array of such objects: 



[ 
{ 
"csp-report": { 
"document-uri": " http://example.org/page.html ", 
"referrer": " http://evil.example.com/haxor.html ", 
"blocked-uri": " http://evil.example.com/image.png ", 
"violated-directive": "default-src 'self'", 
"original-policy": "default-src 'self'; report-uri http://example.org/csp-report.cgi " 
} 
}, 
{ 
"csp-report": { 
"document-uri": " http://example.org/page.html ", 
"referrer": " http://evil.example.com/haxor.html ", 
"blocked-uri": " http://evil.example.com/image.png ", 
"violated-directive": "default-src 'self'", 
"original-policy": "default-src 'self'; report-uri http://example.org/csp-report.cgi " 
} 
} 
] 


WDYT? 

-- 
Mike West < mkwst@google.com >, Developer Advocate 
Google Germany GmbH, Dienerstrasse 12, 80331 M√ľnchen, Germany 
Google+: https://mkw.st/+ , Twitter: @mikewest, Cell: +49 162 10 255 91 
Received on Monday, 5 November 2012 17:03:40 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 5 November 2012 17:03:40 GMT