webappsec-ISSUE-11: Violation report privacy issues

webappsec-ISSUE-11: Violation report privacy issues

http://www.w3.org/2011/webappsec/track/issues/11

Raised by: Brad Hill
On product: 

Section 4.11 of Content Security Policy:

To send a violation report, the user agent must use an algorithm equivalent to the following:

1.Prepare a dictionary violation dictionary with the following keys and values: 

request    HTTP request line of the protected resource whose policy was violated including method, URI and HTTP version

request-headers        HTTP request headers sent with the request for the protected resource whose policy was violated

blocked-uri   URI of the resource that was prevented from loading due to the policy violation

violated-directive   The policy directive that was violated

original-policy       The original policy as received by the user-agent. If the policy was received via more than one Content Security Policy response header, this field must contain a comma separated list of original policies

Issue:  We might need to change some of these keys because they can leak sensitive information.

Received on Tuesday, 17 January 2012 16:41:36 UTC