W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2013

When triggering default-src, report type of violation

From: Neil Matatall <neilm@twitter.com>
Date: Mon, 14 Jan 2013 18:13:58 -0800
Message-ID: <CAOFLtbiTw1QwHGxx5OGciAFnGwe7NYsy36Qm4Q9oZxc9_1t_wg@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
When I receive a CSP report that was triggered by a default-src violation
Then I would like to receive data indicating what type of violation
occurred.

When applying a policy, I copy default-src into any directive that doesn't
have a value so when I receive the report, I know what type of violation
occurred. With inline/eval, this isn't an issue because it's obviously
script and script-src is usually defined anyhow :)

Without this, I cannot tell whether it was a frame-src, font-src,
connect-src, etc. violation because all I see is default-src in the
violated directive field.

Thoughts?
Received on Tuesday, 15 January 2013 02:14:26 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 15 January 2013 02:14:27 GMT