RE: Why no fragment part in CSP-report document-uri?

John,

  The fragment identifier is not transmitted to nor typically known by the server, and this is used as a security property by some systems such as web-keys. (http://waterken.sourceforge.net/web-key/)

  Section 14.36 of RFC 2616, which governs use of the Referer header, also states that: "The URI MUST NOT include a fragment."

 We didn't want CSP reporting to become a way to violate those assumptions, deliberately or accidentally.  

 -Brad

From: John Wilander [mailto:john.wilander@owasp.org] 
Sent: Wednesday, February 13, 2013 2:27 AM
To: public-webappsec
Subject: Re: Why no fragment part in CSP-report document-uri?

2013/2/13 John Wilander <john.wilander@owasp.org>
document-uri
The address of the protected resource, with any <fragment> component removed.

Sorry, I meant the ...
blocked-uri
URI of the resource that was prevented from loading due to the policy violation, with any <fragment> component removed, or the empty string if the resource has no URI (inline script and inline style, for example).
Still.

   /John

-- 
John Wilander, https://twitter.com/johnwilander
Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com
Conf Comm, http://www.owasp.org/index.php/Global_Conferences_Committee
My music http://www.johnwilander.com & my résumé http://johnwilander.se

Received on Friday, 15 February 2013 22:17:00 UTC