- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Thu, 8 Dec 2011 12:28:03 -0800
- To: Jason Franklin <jfrankli@cs.cmu.edu>
- Cc: public-web-security@w3.org
I think it is better to wait for the first revision to go live on browsers and gather feedback from web applications that adopt CSP. It might just turn out that needing some INSERT_SOME_IMPORTANT_SECRET info in the report is important but could be bad to send cross-origin. There is hardly any data/feedback right now from CSP adopters. The next revision can add the cross-origin report capability; while other way around might be more painful. --devdatta On 7 December 2011 17:41, Jason Franklin <jfrankli@cs.cmu.edu> wrote: > restriction on report-uri in the CSP Specification. First, I don't > see how the restriction defends against any reasonable adversary model > (as Adam Barth also noted in his bugzilla post on 2011-07-18) and > secondly, it makes it more difficult for a company to provide a > reporting collection and analysis service. Ideally browsers could be > instructed to send alerts back to a third-party. I would like to > submit a request for this restriction to be removed. > > - Jason Franklin > Research Associate > Stanford University > > > >
Received on Thursday, 8 December 2011 20:29:00 UTC