CSP 1.0: Are UAs permitted to implement reporting as opt-in? from Fred Andrews on 2012-10-16 (public-webappsec@w3.org from October 2012)

From: Fred Andrews <fredandw@live.com>
Date: Tue, 16 Oct 2012 22:36:45 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <BLU002-W1504D4E09318718495CA0E8AA700@phx.gbl>

It would be appreciated if the WG could clarify if a browser conforming to CSP 1.0 is permitted to implement reporting as opt-in?

It was my understanding based on the decision of issue 11 and prior discussion on this list that CSP 1.0 required a UA to submit a report when requested by the server and thus that a server could depend on this.  However a recent response suggests this may not be the consensus.

cheers
Fred

Received on Tuesday, 16 October 2012 22:37:12 UTC