RE: Batching CSP violation reports.

+1 as well

From: Alex Russell [mailto:slightlyoff@google.com]
Sent: Monday, November 5, 2012 10:44 AM
To: Mike West
Cc: public-webappsec@w3.org
Subject: Re: Batching CSP violation reports.

+1

On Mon, Nov 5, 2012 at 4:53 PM, Mike West <mkwst@google.com<mailto:mkwst@google.com>> wrote:
We should probably consider allowing CSP violation reports to be batched up. Right now we're making one HTTP POST per violation; it might be a good idea to continue to allow that behavior, but also allow multiple 'csp-report' objects to be batched up in a single request for efficiency.

I'd suggest allowing them to be simply joined an array of such objects:

[
  {
    "csp-report": {
      "document-uri": "http://example.org/page.html",
      "referrer": "http://evil.example.com/haxor.html",
      "blocked-uri": "http://evil.example.com/image.png",
      "violated-directive": "default-src 'self'",
      "original-policy": "default-src 'self'; report-uri http://example.org/csp-report.cgi"
    }
  },
  {
    "csp-report": {
      "document-uri": "http://example.org/page.html",
      "referrer": "http://evil.example.com/haxor.html",
      "blocked-uri": "http://evil.example.com/image.png",
      "violated-directive": "default-src 'self'",
      "original-policy": "default-src 'self'; report-uri http://example.org/csp-report.cgi"
    }
  }
]

WDYT?

--
Mike West <mkwst@google.com<mailto:mkwst@google.com>>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91<tel:%2B49%20162%2010%20255%2091>

Received on Monday, 5 November 2012 19:19:20 UTC