W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2012

Re: Report-uri same-origin restrictions?

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 15 Oct 2012 09:07:55 -0700
Message-ID: <CAJE5ia8Qt1OfyRmV=411SEA5hy5JeLR9MsST3RqYAjLB0NY1XA@mail.gmail.com>
To: Fred Andrews <fredandw@live.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Oct 15, 2012 at 7:36 AM, Fred Andrews <fredandw@live.com> wrote:
> Does the CSP report-uri need to satisfy the same-origin restrictions?

Nope.  An earlier version of the specification had that requirement,
but the current version does not.

> Sorry it did not pop out at me reading the spec. and given that reporting
> seems to be silent to the user in most implementations it would appear to be
> a DDOS attack issue.

It's not any more of a DDOS issue than the <img> element.

Adam
Received on Monday, 15 October 2012 16:08:57 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 15 October 2012 16:08:58 GMT