Why no fragment part in CSP-report document-uri?

Hi!

The CSP report spec says (
https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#report-uri
):

csp-report

A JSON object containing the following keys and values:
*document-uri**The
address<http://www.w3.org/TR/html5/dom.html#the-document%27s-address>of
the protected resource, with any
<fragment> <http://www.w3.org/TR/html5/urls.html#url-fragment> component
removed.*
This is a problem for stateful Ajax applications using so called hashbang
URLs for navigation and application state, e.g.
https://example.com/#!purchase/checkout/billing. You just cannot tell where
the user was in the application when the CSP violation happened for such
applications. I'm aware that data after the fragment identifier should not
be sent to the server in regular HTTP requests. However, does that rule
have to apply to CSP reports? Or are there other reasons for the "fragment
component removed" spec rule? Could we make it configurable in the policy
header?

I've been digging through quite some CSP reports lately and I can assure
you this is a significant problem.

   Regards, John

-- 
John Wilander, https://twitter.com/johnwilander
Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com
Conf Comm, http://www.owasp.org/index.php/Global_Conferences_Committee
My music http://www.johnwilander.com & my résumé http://johnwilander.se

Received on Wednesday, 13 February 2013 10:23:59 UTC