W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2013

Re: CSP: set of report URIs

From: Mike West <mkwst@google.com>
Date: Tue, 19 Mar 2013 15:54:25 +0100
Message-ID: <CAKXHy=fxiVYhPnDd=h471wYzoCEhA455WkR8k1HUTd4hv_g1Dw@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: WebAppSec WG <public-webappsec@w3.org>, "dveditz@mozilla.com" <dveditz@mozilla.com>
There is not a guarantee that the report URIs are same-origin, though I
believe Mozilla enforces that requirement (Daniel? Can you confirm?).

WebKit uses the same mechanism for these requests as used for hyperlink
auditing, which has similar requirements. Can you elaborate on the value of
adding a CORS preflight to the mix?

-mike

--
Mike West <mkwst@google.com>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91


On Tue, Mar 19, 2013 at 12:16 PM, Anne van Kesteren <annevk@annevk.nl>wrote:

> Is this set of URLs guaranteed to be same-origin somehow? Doing a
> cross-origin POST request with a JSON entity body is not something
> either <form> or XMLHttpRequest with CORS can do so would require at
> least a CORS preflight.
>
>
> --
> http://annevankesteren.nl/
>
>
Received on Tuesday, 19 March 2013 14:55:20 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:00 UTC