- From: Hill, Brad <bhill@paypal-inc.com>
- Date: Thu, 2 Feb 2012 22:24:33 +0000
- To: Adam Barth <w3c@adambarth.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Are Origin and/or Referer worth whitelisting to determine where requests causing violations are coming from? > -----Original Message----- > From: Adam Barth [mailto:w3c@adambarth.com] > Sent: Thursday, February 02, 2012 1:11 PM > To: public-webappsec@w3.org > Subject: Removing request-headers from CSP violation reports > > On the recent telecon, we discussed removing the request-headers field from > CSP violation reports. We've seen some examples where exposing the > request headers leaks sensitive information to servers (e.g., > https://bugzilla.mozilla.org/show_bug.cgi?id=664983). The field doesn't > provide that much value to the server since it can always look at the request > headers that come with the violation report itself to pick up details like the > User-Agent. > > I've made a provisional edit to the spec as follows: > http://dvcs.w3.org/hg/content-security-policy/rev/044c8c389ad8 > > We wanted to run this change by the list to make sure everyone was on > board. > > Thanks! > Adam
Received on Thursday, 2 February 2012 22:25:04 UTC