W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2012

Re: Trigger a DOM event/error when a CSP violation happens.

From: Dan Veditz <dveditz@mozilla.com>
Date: Tue, 27 Nov 2012 23:10:44 -0800
Message-ID: <50B5B8F4.3060202@mozilla.com>
To: Mike West <mkwst@google.com>
CC: public-webappsec@w3.org
On 11/22/12 4:35 AM, Mike West wrote:
> What do you think about making such a feature an opt-in portion of the
> policy by adding a `'self'` keyword to the `report-uri` directive? If
> the keyword is set, violation events would be fired at the
> `document.securityPolicy` object; if not, no violation events would fire
> for that policy.

I like the concept but have concerns over re-using 'self'. This is a 
completely different 'self', the page vs. the origin server elsewhere. 
Maybe something like 'page','events' or 'enable-events'? Those aren't 
even close to a "URI" though and it's too late to change the report-uri 
directive name -- maybe 'self' wasn't so bad.

I prefer opt-in, but a similar syntax for opt-out could be
    report-uri 'no-events' <sites>;

When you describe this as an "event" do you mean a DOM Event conforming 
to the DOM Level 3 Events spec? Does that mean document.securityPolicy 
is a DOM Node somehow? Maybe we should target the document itself instead.

-Dan Veditz
Received on Wednesday, 28 November 2012 07:11:14 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 28 November 2012 07:11:14 GMT