webappsec-ISSUE-11: Violation report privacy issues from Web Application Security Working Group Issue Tracker on 2012-01-17 (public-webappsec@w3.org from January 2012)

From: Web Application Security Working Group Issue Tracker <sysbot+tracker@w3.org>
Date: Tue, 17 Jan 2012 16:41:33 +0000
To: public-webappsec@w3.org
Message-Id: <E1RnC6H-0004tu-RQ@tibor.w3.org>

webappsec-ISSUE-11: Violation report privacy issues

http://www.w3.org/2011/webappsec/track/issues/11

Raised by: Brad Hill
On product: 

Section 4.11 of Content Security Policy:

To send a violation report, the user agent must use an algorithm equivalent to the following:

1.Prepare a dictionary violation dictionary with the following keys and values: 

request    HTTP request line of the protected resource whose policy was violated including method, URI and HTTP version

request-headers        HTTP request headers sent with the request for the protected resource whose policy was violated

blocked-uri   URI of the resource that was prevented from loading due to the policy violation

violated-directive   The policy directive that was violated

original-policy       The original policy as received by the user-agent. If the policy was received via more than one Content Security Policy response header, this field must contain a comma separated list of original policies

Issue:  We might need to change some of these keys because they can leak sensitive information.

Received on Tuesday, 17 January 2012 16:41:36 UTC