- From: Adam Barth <w3c@adambarth.com>
- Date: Thu, 2 Feb 2012 14:08:03 -0800
- To: public-webappsec@w3.org
Looking at our open issues regarding violation reports, it looks like there are a couple thing we can improve. == ISSUE-12 == In the example text in Section 5.2 contains the following text: ---8<--- In the above sample report the violated-directive field was sent in the way it was interpreted by the user-agent. The directive was made explicit by replacing the keyword 'self' with the explicit host name of the protected resource. This is recommended behavior for user-agents as it reduces ambiguity, making policy violations easier to trace by server admins. --->8--- but the instructions for sending a violation report don't including this instruction. Presumably this transformation shouldn't be optional for user agents. A) Should the |violated-directive| field in the violation report be the text of the violation verbatim from the policy or should the 'self' terms be replaced with the origin of the protected document? (Recommendation: Verbatim) == request == The |request| field in the violation report is defined as the "HTTP request line of the protected resource whose policy was violated including method, URI and HTTP version". However, this seems like an odd layering violation. For example, why does the server care about the HTTP version? It seems like a more useful field would just be the URI of the protected document. B) Should we remove the |request| field in place of a |document-uri| field containing the document's URI? (Recommendation: Yes) Adam
Received on Thursday, 2 February 2012 22:09:09 UTC