On the recent telecon, we discussed removing the request-headers field from CSP violation reports. We've seen some examples where exposing the request headers leaks sensitive information to servers (e.g., https://bugzilla.mozilla.org/show_bug.cgi?id=664983). The field doesn't provide that much value to the server since it can always look at the request headers that come with the violation report itself to pick up details like the User-Agent. I've made a provisional edit to the spec as follows: http://dvcs.w3.org/hg/content-security-policy/rev/044c8c389ad8 We wanted to run this change by the list to make sure everyone was on board. Thanks! AdamReceived on Thursday, 2 February 2012 21:12:00 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:26 UTC