W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2013

RE: CSP: set of report URIs

From: Hill, Brad <bhill@paypal-inc.com>
Date: Thu, 28 Mar 2013 17:01:48 +0000
To: Anne van Kesteren <annevk@annevk.nl>, WebAppSec WG <public-webappsec@w3.org>
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E27976997@DEN-EXDDA-S12.corp.ebay.com>
What about the following proposal to limit the CSRF-type risks of CSP reports:

1. Require the report POST to be anonymous, per CORS.
2. Change the content-type from "application/json" to "application/csp-report"

?

-Brad

> -----Original Message-----
> From: annevankesteren@gmail.com [mailto:annevankesteren@gmail.com] On
> Behalf Of Anne van Kesteren
> Sent: Saturday, March 23, 2013 12:38 PM
> To: WebAppSec WG
> Subject: Re: CSP: set of report URIs
> 
> On Tue, Mar 19, 2013 at 11:16 AM, Anne van Kesteren <annevk@annevk.nl>
> wrote:
> > Is this set of URLs guaranteed to be same-origin somehow? Doing a
> > cross-origin POST request with a JSON entity body is not something
> > either <form> or XMLHttpRequest with CORS can do so would require at
> > least a CORS preflight.
> 
> Note also that the invocation of fetch that is used does not limit credentials in
> any way. That seems like a bug.
> 
> 
> I created http://wiki.whatwg.org/wiki/HTTP_Fetch_Policy by the way where I
> try to document what kind of requests can be made from a website. The idea is
> to figure out if we actually have any kind of policy in place here or if we're just
> doing something making wild guesses about whether what we do is secure or
> not for the third party... I have the feeling we're quite inconsistent.
> 
> 
> --
> http://annevankesteren.nl/


Received on Thursday, 28 March 2013 17:02:32 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:01 UTC