For instance, what was the URL that triggered the mixed content warning.
What we get now is "violated directive default-src 'unsafe-inline'
'unsafe-eval'".
Something like..
tagName=iframe&url=http://www.youtube.com/html5/xx11111
Would help us know it was a youtube video.
For XSS, perhaps someone forgot to allow the Google's JSAPI:
tagName=script&url=http://www.google.com/jsapi
And while that would be enough for the Mixed Content use case, for other
use cases we've tried to use it (Like GMail+XSS for example), we might even
need a stack trace.
I remember someone (probably Adam?) was proposing triggering a DOM event
(on top of the report-uri). If that contains more information it would be
enough at least for us.
Greetings!!
-- Eduardo
On Fri, Dec 9, 2011 at 6:50 PM, Daniel Veditz <dveditz@mozilla.com> wrote:
> > We added CSP to Google+ to detect instances of Mixed Content, and with
> > the current report data its just marginally useful.
> >
> > I agree with Jason.
>
> What improvements would you like to see in the report data? I don't see
> how the ability to send "marginally useful" data somewhere new solves your
> problem.
>
> -Dan Veditz
>