W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2012

Re: Trigger a DOM event/error when a CSP violation happens.

From: Dan Veditz <dveditz@mozilla.com>
Date: Tue, 27 Nov 2012 21:48:41 -0800
Message-ID: <50B5A5B9.5090007@mozilla.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
CC: Mike West <mkwst@google.com>, Eduardo' Vela <evn@google.com>, public-webappsec@w3.org, Adam Barth <w3c@adambarth.com>
On 11/27/12 1:50 PM, Devdatta Akhawe wrote:
> I am not even sure opt-out is needed: you can just not set a handler
> if you don't want the events.

Not opt-out in the sense of whether the page content wants the events, 
opt-out in the sense that a policy setter (an add-on, perhaps) doesn't 
want reports of its activities sent to the page.

add-ons or otherwise modified clients (hosts files?) can already 
suppress content loads. There's no real gain making this one particular 
mechanism noisy with no recourse and some privacy/fingerprinting harm. 
I'd prefer add-ons to consider using the CSP mechanism when possible as 
a well-defined, stable, mechanism.

-Dan Veditz
Received on Wednesday, 28 November 2012 05:49:08 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 28 November 2012 05:49:09 GMT