- From: Ehsan Toreini <notifications@github.com>
- Date: Wed, 10 Jun 2026 09:16:36 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 10 June 2026 16:16:40 UTC
toreini left a comment (w3ctag/design-reviews#1173)
Hi @mikewest ,
Apologies for the confusion. Allow me to clarify myself:
1. Three distinct implementation scenarios may arise:
* CSP-only: Relies solely on Content Security Policy for violation reporting.
* Allow-list-only: Uses only the connection-allowlist mechanism.
* CSP-allowlist mixture: Employs both policies concurrently.
Do these scenarios trigger distinct browser parsing behaviors? If so, clarifying these differences in the specification could enhance privacy analysis, particularely regarding side channel attacks.
2. Cross-Origin Reporting Inconsistencies: Potential inconsistencies in violation reporting formats between:
* CSP
* connection-allowlist
Is there a risk that attackers could exploit reporting disparities to exfiltrate data (e.g., server configurations) when both mechanisms are deployed concurrently? I.e: make user think there is no possibility of leaking data while exfiltrating via reporting. Generally speaking, discrepancies between CSP and Connection Allowlist is worth exploring by the WG.
--
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/1173#issuecomment-4672127940
You are receiving this because you are subscribed to this thread.
Message ID: <w3ctag/design-reviews/issues/1173/4672127940@github.com>
Received on Wednesday, 10 June 2026 16:16:40 UTC