- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Fri, 29 Apr 2011 09:59:37 -0700
- To: Adam Barth <w3c@adambarth.com>
- CC: Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
On 4/28/11 11:48 PM, Adam Barth wrote: >> If someone has injected a URL into >> my site the full URL could be vital clue to the attack. > > A clever attacker wouldn't generated a violation report. There are a lot of less clever attacks, and CSP is not universally supported. The very existence of the violation report assumes there will be something to report. >> Can we treat the two cases differently? >> * if there's no redirection report the full URL, always. >> * if a load is blocked after redirecting, report one of >> a) only the origin of the blocked request as Adam proposes >> b) the original URL that eventually redirected and blocked >> c) both somehow > > Treating these cases differently is too complicated. Complexity has > large costs and we should be judicious in its application. If you do b) then the two cases are exactly the same: always report the URL as it appears in the page. This could be helpful in some cases (damn, my ad network is now redirecting to a new affiliate--better add that) but confusing in others (redirection due to network hijack local to the victim). -Dan Veditz
Received on Friday, 29 April 2011 17:00:13 UTC