W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2013

Why no fragment part in CSP-report document-uri?

From: John Wilander <john.wilander@owasp.org>
Date: Wed, 13 Feb 2013 11:23:31 +0100
Message-ID: <CALrECXBEV9y182wDOx7ac-XJeJvaWj2P_=mzfsZhMPy+tw74nQ@mail.gmail.com>
To: public-webappsec <public-webappsec@w3.org>
Hi!

The CSP report spec says (
https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#report-uri
):

csp-report

A JSON object containing the following keys and values:
*document-uri**The
address<http://www.w3.org/TR/html5/dom.html#the-document%27s-address>of
the protected resource, with any
<fragment> <http://www.w3.org/TR/html5/urls.html#url-fragment> component
removed.*
This is a problem for stateful Ajax applications using so called hashbang
URLs for navigation and application state, e.g.
https://example.com/#!purchase/checkout/billing. You just cannot tell where
the user was in the application when the CSP violation happened for such
applications. I'm aware that data after the fragment identifier should not
be sent to the server in regular HTTP requests. However, does that rule
have to apply to CSP reports? Or are there other reasons for the "fragment
component removed" spec rule? Could we make it configurable in the policy
header?

I've been digging through quite some CSP reports lately and I can assure
you this is a significant problem.

   Regards, John

-- 
John Wilander, https://twitter.com/johnwilander
Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com
Conf Comm, http://www.owasp.org/index.php/Global_Conferences_Committee
My music http://www.johnwilander.com & my résumé http://johnwilander.se
Received on Wednesday, 13 February 2013 10:23:59 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 13 February 2013 10:24:00 GMT