Re: Trigger a DOM event/error when a CSP violation happens. from Eduardo' Vela on 2012-10-26 (public-webappsec@w3.org from October 2012)

From: Eduardo' Vela <evn@google.com>
Date: Fri, 26 Oct 2012 16:16:36 -0700
To: John J Barton <johnjbarton@johnjbarton.com>
Cc: Dan Veditz <dveditz@mozilla.com>, Adam Barth <w3c@adambarth.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAFswPa-EcCV-JEW0-NCEvgN163EZwxWOHALpH_zsVQvvTD-QyQ@mail.gmail.com>

If we can't debug the origin of the alert, it's impossible for us to
differentiate an attack from a bug like this.


On Fri, Oct 26, 2012 at 4:12 PM, John J Barton
<johnjbarton@johnjbarton.com>wrote:

> On Fri, Oct 26, 2012 at 3:53 PM, Dan Veditz <dveditz@mozilla.com> wrote:
> ...
> > Such APIs would be out of scope for this WG so I'd just like to state the
> > privacy principal that user-agent supplied policies do not report
> violations
> > to the originating server or page content.
>
> Similarly, extension supplied policies should not report. Otherwise
> web pages can probe the users installed extensions.
>
> jjb
>
> > I'm not against firing events at
> > the page for violations of the page's own policy.
> >
> > -Dan Veditz
> >
>

Received on Friday, 26 October 2012 23:17:24 UTC