- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Fri, 9 Dec 2011 21:45:48 -0800
- To: "sird@rckc.at" <sird@rckc.at>
- Cc: Daniel Veditz <dveditz@mozilla.com>, Jason Franklin <jfrankli@cs.cmu.edu>, public-web-security@w3.org
I am starting a new thread about the data that a report should generate based on your feedback. This is great feedback that I am sure the list would love to learn from. But, for this thread, would the ability to send the report cross origin matter at all? I feel like the need for more possibly-secret data means you wouldn't want the ability to send cross-origin reports. -devdatta On 9 December 2011 20:50, sird@rckc.at <sird@rckc.at> wrote: > For instance, what was the URL that triggered the mixed content warning. > What we get now is "violated directive default-src 'unsafe-inline' > 'unsafe-eval'". > > Something like.. > > tagName=iframe&url=http://www.youtube.com/html5/xx11111 > > Would help us know it was a youtube video. > > For XSS, perhaps someone forgot to allow the Google's JSAPI: > > tagName=script&url=http://www.google.com/jsapi > > And while that would be enough for the Mixed Content use case, for other use > cases we've tried to use it (Like GMail+XSS for example), we might even need > a stack trace. > > I remember someone (probably Adam?) was proposing triggering a DOM event (on > top of the report-uri). If that contains more information it would be enough > at least for us. > > Greetings!! > > -- Eduardo > > > > > On Fri, Dec 9, 2011 at 6:50 PM, Daniel Veditz <dveditz@mozilla.com> wrote: >> >> > We added CSP to Google+ to detect instances of Mixed Content, and with >> > the current report data its just marginally useful. >> > >> > I agree with Jason. >> >> What improvements would you like to see in the report data? I don't see >> how the ability to send "marginally useful" data somewhere new solves your >> problem. >> >> -Dan Veditz > >
Received on Saturday, 10 December 2011 05:46:37 UTC