W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2013

Re: CSP: set of report URIs

From: Eduardo' Vela <evn@google.com>
Date: Thu, 28 Mar 2013 12:13:08 -0700
Message-ID: <CAFswPa8pr7X8kQHCn9L6eKOJzgdnO3--_2d3X6=ArdwQRANhPA@mail.gmail.com>
To: Neil Matatall <neilm@twitter.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, "Hill, Brad" <bhill@paypal-inc.com>, WebAppSec WG <public-webappsec@w3.org>
I think the DOM Event that Mike West is proposing can be used by people
that might want to do more things. So while I would like to be able to
pinpoint users in reports to facilitate debugging, I can do it ad-hoc
rather than always, which is also good because it makes the log-collection
consequences of using report-uri a lot simpler.


On Thu, Mar 28, 2013 at 10:55 AM, Neil Matatall <neilm@twitter.com> wrote:

> This works for Twitter's use case. I'm curious to see what other
> people backing cross-host posting say (I hope we aren't the only
> ones!). We do not analyze the reports from the public with anything
> identifiable.
>
> On Thu, Mar 28, 2013 at 10:39 AM, Anne van Kesteren <annevk@annevk.nl>
> wrote:
> > On Thu, Mar 28, 2013 at 5:01 PM, Hill, Brad <bhill@paypal-inc.com>
> wrote:
> >> What about the following proposal to limit the CSRF-type risks of CSP
> reports:
> >>
> >> 1. Require the report POST to be anonymous, per CORS.
> >> 2. Change the content-type from "application/json" to
> "application/csp-report"
> >
> > I don't really see how that's not breaking the <form> invariant. It's
> > still allows a new type of data to be posted to an unsuspecting
> > intranet. Admittedly the risk does seem fairly low, but people have
> > got upset over less.
> >
> >
> > --
> > http://annevankesteren.nl/
> >
>
>
Received on Thursday, 28 March 2013 19:13:59 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:01 UTC