Re: Request for Change to CSP Specification

I think it is better to wait for the first revision to go live on
browsers and gather feedback from web applications that adopt CSP.  It
might just turn out that needing some INSERT_SOME_IMPORTANT_SECRET
info in the report is important but could be bad to send cross-origin.
There is hardly any data/feedback right now from CSP adopters. The
next revision can add the cross-origin report capability; while other
way around might be more painful.


On 7 December 2011 17:41, Jason Franklin <> wrote:
> restriction on report-uri in the CSP Specification.  First, I don't
> see how the restriction defends against any reasonable adversary model
> (as Adam Barth also noted in his bugzilla post on 2011-07-18) and
> secondly, it makes it more difficult for a company to provide a
> reporting collection and analysis service. Ideally browsers could be
> instructed to send alerts back to a third-party.  I would like to
> submit a request for this restriction to be removed.
> - Jason Franklin
> Research Associate
> Stanford University

Received on Thursday, 8 December 2011 20:29:00 UTC