W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2013

Re: CSP: set of report URIs

From: Daniel Veditz <dveditz@mozilla.com>
Date: Tue, 19 Mar 2013 08:21:02 -0700
Message-ID: <5148825E.8010904@mozilla.com>
To: Anne van Kesteren <annevk@annevk.nl>
CC: WebAppSec WG <public-webappsec@w3.org>
On 3/19/2013 4:16 AM, Anne van Kesteren wrote:
> Is this set of URLs guaranteed to be same-origin somehow? Doing a
> cross-origin POST request with a JSON entity body is not something
> either <form> or XMLHttpRequest with CORS can do so would require at
> least a CORS preflight.

The original Mozilla implementation required the report-uri to be 
same-origin with the document. Redirects were disallowed out of fears 
that open redirects might be common on the sorts of complex sites that 
could benefit from CSP.

After complaints that this was overly restrictive we relaxed the 
requirement to "same base domain" where base domain was the first label 
to the left of an item on our "effective TLD" list ("eTLD+1").

The CSP 1.0 spec has no restriction at all on report-uri because Adam 
(for one) thinks the "effective domain" concept is a terrible idea that 
must not spread to specs beyond cookies, and potential CSP users still 
think same-origin is overly restrictive.

-Dan Veditz
Received on Tuesday, 19 March 2013 15:21:34 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:00 UTC