W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2013

Re: CSP: set of report URIs

From: Anne van Kesteren <annevk@annevk.nl>
Date: Tue, 19 Mar 2013 11:28:12 -0400
Message-ID: <CADnb78hSOqUEmLr_uNwrG_pEdti6E_kpb42xkEgGGEHJaeDdTg@mail.gmail.com>
To: Daniel Veditz <dveditz@mozilla.com>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Tue, Mar 19, 2013 at 11:21 AM, Daniel Veditz <dveditz@mozilla.com> wrote:
> On 3/19/2013 4:16 AM, Anne van Kesteren wrote:
>> Is this set of URLs guaranteed to be same-origin somehow? Doing a
>> cross-origin POST request with a JSON entity body is not something
>> either <form> or XMLHttpRequest with CORS can do so would require at
>> least a CORS preflight.
>
> The original Mozilla implementation required the report-uri to be
> same-origin with the document. Redirects were disallowed out of fears that
> open redirects might be common on the sorts of complex sites that could
> benefit from CSP.
>
> After complaints that this was overly restrictive we relaxed the requirement
> to "same base domain" where base domain was the first label to the left of
> an item on our "effective TLD" list ("eTLD+1").
>
> The CSP 1.0 spec has no restriction at all on report-uri because Adam (for
> one) thinks the "effective domain" concept is a terrible idea that must not
> spread to specs beyond cookies, and potential CSP users still think
> same-origin is overly restrictive.

I do agree with Adam that we (Mozilla) should not have done that.
Effective TLDs are no good and using effective TLDs here also opens up
things further than what <form> allows. Either we should be okay with
JSON payloads going cross-origin or we should keep the same-origin
restriction, or alternatively, we should make it a (one-way) CORS
request.


-- 
http://annevankesteren.nl/
Received on Tuesday, 19 March 2013 15:28:39 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:00 UTC