- From: Виноградов Сергей <fdsc@yandex.ru>
- Date: Fri, 03 Mar 2017 18:39:59 +0300
- To: public-webappsec@w3.org
Hello
I would like to give examples of how unhelpful are CSP violation reports ( https://www.w3.org/TR/CSP2/ )
A "script-sample" report field below
1. " ;(function() { \n try { \n /*..."
2. "/* See license.txt for terms of usage */..."
3. A hacker can fill out the CSP report by spaces at the beginning. Need to ignore whitespaces and newlines.
"(function(){ ..."
4. AJAX scripts can load other scripts. So the web master need a field that which identify the cause of download script if the script loaded from other allowed the script
5. If the script appeared on the page, then web master need to give the html environment of this script ( to understand how was conducted an XSS attack).
Received on Monday, 6 March 2017 10:24:13 UTC