W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2012

Re: Batching CSP violation reports.

From: Alex Russell <slightlyoff@google.com>
Date: Mon, 5 Nov 2012 18:43:50 +0000
Message-ID: <CANr5HFX1tfxa191sqNwBNEdqyv6gRds9kD4Vr=4_=Ea4a3LxAQ@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: public-webappsec@w3.org
+1


On Mon, Nov 5, 2012 at 4:53 PM, Mike West <mkwst@google.com> wrote:

> We should probably consider allowing CSP violation reports to be batched
> up. Right now we're making one HTTP POST per violation; it might be a good
> idea to continue to allow that behavior, but also allow multiple
> 'csp-report' objects to be batched up in a single request for efficiency.
>
> I'd suggest allowing them to be simply joined an array of such objects:
>
> [
>   {
>     "csp-report": {
>       "document-uri": "http://example.org/page.html",
>       "referrer": "http://evil.example.com/haxor.html",
>       "blocked-uri": "http://evil.example.com/image.png",
>       "violated-directive": "default-src 'self'",
>       "original-policy": "default-src 'self'; report-uri
> http://example.org/csp-report.cgi"
>     }
>   },
>   {
>     "csp-report": {
>       "document-uri": "http://example.org/page.html",
>       "referrer": "http://evil.example.com/haxor.html",
>       "blocked-uri": "http://evil.example.com/image.png",
>       "violated-directive": "default-src 'self'",
>       "original-policy": "default-src 'self'; report-uri
> http://example.org/csp-report.cgi"
>     }
>   }
> ]
>
> WDYT?
>
> --
> Mike West <mkwst@google.com>, Developer Advocate
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
>
Received on Monday, 5 November 2012 18:44:49 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 5 November 2012 18:44:49 GMT