- From: Adam Barth <w3c@adambarth.com>
- Date: Thu, 2 Feb 2012 13:11:02 -0800
- To: public-webappsec@w3.org
On the recent telecon, we discussed removing the request-headers field from CSP violation reports. We've seen some examples where exposing the request headers leaks sensitive information to servers (e.g., https://bugzilla.mozilla.org/show_bug.cgi?id=664983). The field doesn't provide that much value to the server since it can always look at the request headers that come with the violation report itself to pick up details like the User-Agent. I've made a provisional edit to the spec as follows: http://dvcs.w3.org/hg/content-security-policy/rev/044c8c389ad8 We wanted to run this change by the list to make sure everyone was on board. Thanks! Adam
Received on Thursday, 2 February 2012 21:12:00 UTC