W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2012

RE: Batching CSP violation reports.

From: Jacob Rossi <Jacob.Rossi@microsoft.com>
Date: Mon, 5 Nov 2012 19:17:50 +0000
To: Alex Russell <slightlyoff@google.com>, Mike West <mkwst@google.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <D0BC8E77E79D9846B61A2432D1BA4EAE0676E529@TK5EX14MBXC287.redmond.corp.microsoft.com>
+1 as well

From: Alex Russell [mailto:slightlyoff@google.com]
Sent: Monday, November 5, 2012 10:44 AM
To: Mike West
Cc: public-webappsec@w3.org
Subject: Re: Batching CSP violation reports.

+1

On Mon, Nov 5, 2012 at 4:53 PM, Mike West <mkwst@google.com<mailto:mkwst@google.com>> wrote:
We should probably consider allowing CSP violation reports to be batched up. Right now we're making one HTTP POST per violation; it might be a good idea to continue to allow that behavior, but also allow multiple 'csp-report' objects to be batched up in a single request for efficiency.

I'd suggest allowing them to be simply joined an array of such objects:

[
  {
    "csp-report": {
      "document-uri": "http://example.org/page.html",
      "referrer": "http://evil.example.com/haxor.html",
      "blocked-uri": "http://evil.example.com/image.png",
      "violated-directive": "default-src 'self'",
      "original-policy": "default-src 'self'; report-uri http://example.org/csp-report.cgi"
    }
  },
  {
    "csp-report": {
      "document-uri": "http://example.org/page.html",
      "referrer": "http://evil.example.com/haxor.html",
      "blocked-uri": "http://evil.example.com/image.png",
      "violated-directive": "default-src 'self'",
      "original-policy": "default-src 'self'; report-uri http://example.org/csp-report.cgi"
    }
  }
]

WDYT?

--
Mike West <mkwst@google.com<mailto:mkwst@google.com>>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91<tel:%2B49%20162%2010%20255%2091>
Received on Monday, 5 November 2012 19:19:20 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 5 November 2012 19:19:20 GMT