- From: Web Application Security Working Group Issue Tracker <sysbot+tracker@w3.org>
- Date: Tue, 17 Jan 2012 16:41:33 +0000
- To: public-webappsec@w3.org
webappsec-ISSUE-11: Violation report privacy issues http://www.w3.org/2011/webappsec/track/issues/11 Raised by: Brad Hill On product: Section 4.11 of Content Security Policy: To send a violation report, the user agent must use an algorithm equivalent to the following: 1.Prepare a dictionary violation dictionary with the following keys and values: request HTTP request line of the protected resource whose policy was violated including method, URI and HTTP version request-headers HTTP request headers sent with the request for the protected resource whose policy was violated blocked-uri URI of the resource that was prevented from loading due to the policy violation violated-directive The policy directive that was violated original-policy The original policy as received by the user-agent. If the policy was received via more than one Content Security Policy response header, this field must contain a comma separated list of original policies Issue: We might need to change some of these keys because they can leak sensitive information.
Received on Tuesday, 17 January 2012 16:41:36 UTC