W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2013

RE: Why no fragment part in CSP-report document-uri?

From: Hill, Brad <bhill@paypal-inc.com>
Date: Fri, 15 Feb 2013 22:16:29 +0000
To: John Wilander <john.wilander@owasp.org>, public-webappsec <public-webappsec@w3.org>
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E2791C963@DEN-EXDDA-S12.corp.ebay.com>
John,

  The fragment identifier is not transmitted to nor typically known by the server, and this is used as a security property by some systems such as web-keys. (http://waterken.sourceforge.net/web-key/)

  Section 14.36 of RFC 2616, which governs use of the Referer header, also states that: "The URI MUST NOT include a fragment."

 We didn't want CSP reporting to become a way to violate those assumptions, deliberately or accidentally.  

 -Brad

From: John Wilander [mailto:john.wilander@owasp.org] 
Sent: Wednesday, February 13, 2013 2:27 AM
To: public-webappsec
Subject: Re: Why no fragment part in CSP-report document-uri?

2013/2/13 John Wilander <john.wilander@owasp.org>
document-uri
The address of the protected resource, with any <fragment> component removed.

Sorry, I meant the ...
blocked-uri
URI of the resource that was prevented from loading due to the policy violation, with any <fragment> component removed, or the empty string if the resource has no URI (inline script and inline style, for example).
Still.

   /John

-- 
John Wilander, https://twitter.com/johnwilander
Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com
Conf Comm, http://www.owasp.org/index.php/Global_Conferences_Committee
My music http://www.johnwilander.com & my résumé http://johnwilander.se
Received on Friday, 15 February 2013 22:17:00 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 15 February 2013 22:17:01 GMT