- From: Web Application Security Working Group Issue Tracker <sysbot+tracker@w3.org>
- Date: Tue, 17 Jan 2012 16:42:36 +0000
- To: public-webappsec@w3.org
webappsec-ISSUE-12: Should 'self' be required to be replaced by explict host in reports? http://www.w3.org/2011/webappsec/track/issues/12 Raised by: Brad Hill On product: Section 5.3 of CSP: In the above sample report the violated-directive field was sent in the way it was interpreted by the user-agent. The directive was made explicit by replacing the keyword 'self' with the explicit host name of the protected resource. This is recommended behavior for user-agents as it reduces ambiguity, making policy violations easier to trace by server admins. Issue: Should we add this as a requirement when preparing reports?
Received on Tuesday, 17 January 2012 16:42:37 UTC