Request for Change to CSP Specification from Jason Franklin on 2011-12-08 (public-web-security@w3.org from December 2011)

From: Jason Franklin <jfrankli@cs.cmu.edu>
Date: Wed, 7 Dec 2011 17:41:22 -0800
To: public-web-security@w3.org
Message-ID: <CABeX1wW=ycaizaRxoNE=P=bFFPuUTyLUnpcQOc9WkN0BN_HTWg@mail.gmail.com>

restriction on report-uri in the CSP Specification.  First, I don't
see how the restriction defends against any reasonable adversary model
(as Adam Barth also noted in his bugzilla post on 2011-07-18) and
secondly, it makes it more difficult for a company to provide a
reporting collection and analysis service. Ideally browsers could be
instructed to send alerts back to a third-party.  I would like to
submit a request for this restriction to be removed.

- Jason Franklin
Research Associate
Stanford University

Received on Thursday, 8 December 2011 19:27:59 UTC