W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2014

Re: [CSP] feedback report-uri directive and report-only header

From: Caleb Queern <cqueern@gmail.com>
Date: Thu, 21 Aug 2014 14:38:48 -0700
Message-ID: <CAEnXMMoevEkhWrNqSkwJGKLhfL9fo+OQEF9CkVeDZR7dwmpgrA@mail.gmail.com>
To: "Hill, Brad" <bhill@paypal.com>
Cc: Stefan Ossendorf <stefan.ossendorf@outlook.de>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Related question. Is there a limit to how many report-uris in a CSP policy
will be considered valid? If there is not, should there be?

Seems that without any upper limit we may be leaving the door open for
shenanigans.


On Thu, Aug 21, 2014 at 9:44 AM, Hill, Brad <bhill@paypal.com> wrote:

>  Stefan,
>
>
>
> 1. Both relative paths or fully-qualified URLs with a scheme, host and
> port are allowed for report-uri.
>
> 2. In the future we expect that there may be alternate methods to announce
> violations other than report-uri, such as a DOM API.  In the meantime, if
> you can’t enforce that there’s a valid listener at a uri, it doesn’t gain
> much to enforce that a uri is present.
>
>
>
> -Brad
>
>
>
> *From:* Stefan Ossendorf [mailto:stefan.ossendorf@outlook.de]
> *Sent:* Thursday, August 21, 2014 9:36 AM
> *To:* public-webappsec@w3.org
> *Subject:* [CSP] feedback report-uri directive and report-only header
>
>
>
> Hello,
>
>
>
> I have two questions:
>
>
>
> 1. report-uri directive
>
> According to
> https://w3c.github.io/webappsec/specs/content-security-policy/#set-of-report-uris
>
> Quote: “The set of report URIs is the value of the report-uri directive,
> each resolved relative to the protected resource’s URI.”
>
> Does relative means really relative or just “resolve the uri”?
>
>
>
> 2. report-only-header
>
> Why is no report-uri directive enforced within a report-only-header?
>
>
>
> Thanks
>
> -Stefan
>



-- 
Caleb
571-228-8011
Received on Thursday, 21 August 2014 21:39:15 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC