W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2012

Re: Trigger a DOM event/error when a CSP violation happens.

From: Eduardo' Vela <evn@google.com>
Date: Thu, 25 Oct 2012 07:49:16 -0700
Message-ID: <CAFswPa_Y+Eig=YDkLOpVBNBrE187q33Cv4iWFr5ixW3ZB8fUFA@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: public-webappsec@w3.org, Adam Barth <w3c@adambarth.com>
The console warnings are nice, but when we receive tens of millions of
reports, its hard to find duplicates and its hard to reproduce.
On Oct 24, 2012 11:58 PM, "Mike West" <mkwst@google.com> wrote:

> Triggering an error is something we should probably be doing anyway. There
> are a number of bugs in WebKit on exactly this point. I know we're
> currently triggering an error event for images, but there are a number of
> other elements where that's not happening.
>
> Beyond the error event, are you asking for a new event type for resources
> blocked by CSP? Do the console warnings not give you enough detail?
>
> --
> Mike West <mkwst@google.com>, Developer Advocate
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
>
>
> On Thu, Oct 25, 2012 at 8:31 AM, Adam Barth <w3c@adambarth.com> wrote:
>
>> On Wed, Oct 24, 2012 at 11:18 PM, Eduardo' Vela <evn@google.com> wrote:
>> > I believe this has been discussed before.
>> >
>> > We have found a lot of challenges triaging reports to the point we are
>> > considering disabling CSP since it's useless as we can't effectively
>> debug
>> > it, this is very important for large scale applications.
>> >
>> > Could it be possible to trigger a CSP DOM event or simply trigger an
>> error
>> > (which will raise an onerror event).
>>
>> This sounds like something we should experiment with in CSP 1.1.  We
>> can try a prototype implementation in WebKit to see how feasible it
>> is.
>>
>> Adam
>>
>>
>
Received on Thursday, 25 October 2012 14:49:43 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 25 October 2012 14:49:44 GMT