W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2012

Report-uri same-origin restrictions?

From: Fred Andrews <fredandw@live.com>
Date: Mon, 15 Oct 2012 14:36:16 +0000
Message-ID: <BLU002-W46033B081EF231BC126D1FAA710@phx.gbl>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Does the CSP report-uri need to satisfy the same-origin restrictions?

Sorry it did not pop out at me reading the spec. and given that reporting seems to be silent to the user in most implementations it would appear to be a DDOS attack issue.

The matter is addressed here in section 'Restrictions on policy-uri and report-uri':
https://wiki.mozilla.org/Security/CSP/Specification

cheers
Fred

 		 	   		  
Received on Monday, 15 October 2012 14:36:46 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 15 October 2012 14:36:46 GMT