Including the Javascript stack trace in the ContentSecurityPolicy report

Hi,

I'd like to propose that CSP reports include the Javascript stack trace
that resulted in loading the forbidden resource (similar to window.onerror).

In many large web applications (eg: Google+) it's almost impossible to
figure out why a report was sent. The document uri is typically just "
http://plus.google.com" which doesn't really give us enough context to know
what the user was doing. For example, if an XSS spreads via users' chat
status then a stack trace that pointed to the status message code would be
much more useful than something that just said there was a report sent from
somewhere on the page.

I filed issue 266151<https://code.google.com/p/chromium/issues/detail?id=266151>for
this and Adam suggested that I raise it on the list and see what
people
thought. Does this sound useful to other people?

Henry

Received on Friday, 2 August 2013 11:49:50 UTC