W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2012

Re: Trigger a DOM event/error when a CSP violation happens.

From: Eduardo' Vela <evn@google.com>
Date: Fri, 26 Oct 2012 16:16:36 -0700
Message-ID: <CAFswPa-EcCV-JEW0-NCEvgN163EZwxWOHALpH_zsVQvvTD-QyQ@mail.gmail.com>
To: John J Barton <johnjbarton@johnjbarton.com>
Cc: Dan Veditz <dveditz@mozilla.com>, Adam Barth <w3c@adambarth.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
If we can't debug the origin of the alert, it's impossible for us to
differentiate an attack from a bug like this.


On Fri, Oct 26, 2012 at 4:12 PM, John J Barton
<johnjbarton@johnjbarton.com>wrote:

> On Fri, Oct 26, 2012 at 3:53 PM, Dan Veditz <dveditz@mozilla.com> wrote:
> ...
> > Such APIs would be out of scope for this WG so I'd just like to state the
> > privacy principal that user-agent supplied policies do not report
> violations
> > to the originating server or page content.
>
> Similarly, extension supplied policies should not report. Otherwise
> web pages can probe the users installed extensions.
>
> jjb
>
> > I'm not against firing events at
> > the page for violations of the page's own policy.
> >
> > -Dan Veditz
> >
>
Received on Friday, 26 October 2012 23:17:24 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 26 October 2012 23:17:24 GMT