W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2012

RE: CSP 1.0: Are UAs permitted to implement reporting as opt-in?

From: Fred Andrews <fredandw@live.com>
Date: Wed, 17 Oct 2012 21:44:23 +0000
Message-ID: <BLU002-W7666AB8F234C39A0875C19AA770@phx.gbl>
To: Boris Zbarsky <bzbarsky@mit.edu>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Hi Boris,

If the server can't rely on this then why does CSP require the UA to
send a report when requested?

cheers
Fred

> Date: Wed, 17 Oct 2012 12:23:10 -0400
> From: bzbarsky@MIT.EDU
> To: public-webappsec@w3.org
> Subject: Re: CSP 1.0: Are UAs permitted to implement reporting as opt-in?
> 
> On 10/17/12 6:49 AM, Fred Andrews wrote:
> > Just to clarify, when reporting is required the server can depend on the
> > absence of a report when it trips its own policy to signal that the UA has not
> > implemented the policy.
> 
> Dan's point was that no, the server can't rely on this.
> 
> -Boris
> 
 		 	   		  
Received on Wednesday, 17 October 2012 21:44:49 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 17 October 2012 21:44:50 GMT