W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2012

Removing the same(ish) origin restriction on report-uri

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 27 Feb 2012 17:01:10 -0800
Message-ID: <CAJE5ia_VYyqJo-8JWdRiZpPfDvzLxQtNUpVttHGHrqVh2qaEfw@mail.gmail.com>
To: public-webappsec@w3.org
I went through all the feedback on CSP violation reports today and
made a bunch of edits based on our previous discussions.  I wanted to
re-confirm one of those edits with the list:


In that edit, I've removed the restriction that the report-uri needs
to have the same scheme, port, and registry-controlled domain as the
document-uri.  Originally, we had this restriction because the
violation reports contained sensitive information, such as
request-headers.  Since then, we've changed the form of the violation
reports a bit so that there isn't nearly as much sensitive information
in the reports (which means we can remove the "ugly" dependency on the
public suffix list).

This edit seems consistent with our April 2011 discussions on this
topic, but since that was a while ago, I wanted to re-confirm with the

Received on Tuesday, 28 February 2012 01:02:10 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:26 UTC