W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2012

Re: CSP 1.0: Are UAs permitted to implement reporting as opt-in?

From: Adam Barth <w3c@adambarth.com>
Date: Wed, 17 Oct 2012 14:58:52 -0700
Message-ID: <CAJE5ia86UFWc88itbTkUBn-phsCtr+8mx=Yq9TK2HwrF21e4hw@mail.gmail.com>
To: Fred Andrews <fredandw@live.com>
Cc: Boris Zbarsky <bzbarsky@mit.edu>, "public-webappsec@w3.org" <public-webappsec@w3.org>
The server can't rely on CSP being present at all.  By your reasoning,
we should remove all the requirements from the spec.

This thread is well past its usefulness.  You don't seem to have a
technical point and are just wasting the working group's time.

Adam


On Wed, Oct 17, 2012 at 2:44 PM, Fred Andrews <fredandw@live.com> wrote:
> Hi Boris,
>
> If the server can't rely on this then why does CSP require the UA to
> send a report when requested?
>
> cheers
> Fred
>
>> Date: Wed, 17 Oct 2012 12:23:10 -0400
>> From: bzbarsky@MIT.EDU
>> To: public-webappsec@w3.org
>
>> Subject: Re: CSP 1.0: Are UAs permitted to implement reporting as opt-in?
>>
>> On 10/17/12 6:49 AM, Fred Andrews wrote:
>> > Just to clarify, when reporting is required the server can depend on the
>> > absence of a report when it trips its own policy to signal that the UA
>> > has not
>> > implemented the policy.
>>
>> Dan's point was that no, the server can't rely on this.
>>
>> -Boris
>>
Received on Wednesday, 17 October 2012 22:06:27 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 17 October 2012 22:06:27 GMT