Re: Request for Change to CSP Specification

For instance, what was the URL that triggered the mixed content warning.
What we get now is "violated directive default-src 'unsafe-inline'

Something like..


Would help us know it was a youtube video.

For XSS, perhaps someone forgot to allow the Google's JSAPI:


And while that would be enough for the Mixed Content use case, for other
use cases we've tried to use it (Like GMail+XSS for example), we might even
need a stack trace.

I remember someone (probably Adam?) was proposing triggering a DOM event
(on top of the report-uri). If that contains more information it would be
enough at least for us.


-- Eduardo

On Fri, Dec 9, 2011 at 6:50 PM, Daniel Veditz <> wrote:

> > We added CSP to Google+ to detect instances of Mixed Content, and with
> > the current report data its just marginally useful.
> >
> > I agree with Jason.
> What improvements would you like to see in the report data? I don't see
> how the ability to send "marginally useful" data somewhere new solves your
> problem.
> -Dan Veditz

Received on Saturday, 10 December 2011 04:51:12 UTC