webappsec-ISSUE-12: Should 'self' be required to be replaced by explict host in reports? from Web Application Security Working Group Issue Tracker on 2012-01-17 (public-webappsec@w3.org from January 2012)

From: Web Application Security Working Group Issue Tracker <sysbot+tracker@w3.org>
Date: Tue, 17 Jan 2012 16:42:36 +0000
To: public-webappsec@w3.org
Message-Id: <E1RnC7I-0004u6-73@tibor.w3.org>

webappsec-ISSUE-12: Should 'self' be required to be replaced by explict host in reports?

http://www.w3.org/2011/webappsec/track/issues/12

Raised by: Brad Hill
On product: 

Section 5.3 of CSP:

In the above sample report the violated-directive field was sent in the way it was interpreted by the user-agent. The directive was made explicit by replacing the keyword 'self' with the explicit host name of the protected resource. This is recommended behavior for user-agents as it reduces ambiguity, making policy violations easier to trace by server admins.

Issue:
Should we add this as a requirement when preparing reports?

Received on Tuesday, 17 January 2012 16:42:37 UTC