webappsec-ISSUE-12: Should 'self' be required to be replaced by explict host in reports?

webappsec-ISSUE-12: Should 'self' be required to be replaced by explict host in reports?

http://www.w3.org/2011/webappsec/track/issues/12

Raised by: Brad Hill
On product: 

Section 5.3 of CSP:

In the above sample report the violated-directive field was sent in the way it was interpreted by the user-agent. The directive was made explicit by replacing the keyword 'self' with the explicit host name of the protected resource. This is recommended behavior for user-agents as it reduces ambiguity, making policy violations easier to trace by server admins.

Issue:
Should we add this as a requirement when preparing reports?

Received on Tuesday, 17 January 2012 16:42:37 UTC