- From: Adam Barth <w3c@adambarth.com>
- Date: Mon, 27 Feb 2012 17:01:10 -0800
- To: public-webappsec@w3.org
I went through all the feedback on CSP violation reports today and made a bunch of edits based on our previous discussions. I wanted to re-confirm one of those edits with the list: http://dvcs.w3.org/hg/content-security-policy/rev/275074d083aa In that edit, I've removed the restriction that the report-uri needs to have the same scheme, port, and registry-controlled domain as the document-uri. Originally, we had this restriction because the violation reports contained sensitive information, such as request-headers. Since then, we've changed the form of the violation reports a bit so that there isn't nearly as much sensitive information in the reports (which means we can remove the "ugly" dependency on the public suffix list). This edit seems consistent with our April 2011 discussions on this topic, but since that was a while ago, I wanted to re-confirm with the list. Thanks! Adam
Received on Tuesday, 28 February 2012 01:02:10 UTC