[webappsec] Including URI fragment in CSP reports (ACTION-43) from Hill, Brad on 2012-01-31 (public-webappsec@w3.org from January 2012)

From: Hill, Brad <bhill@paypal-inc.com>
Date: Tue, 31 Jan 2012 00:24:50 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E01AB57@DEN-EXDDA-S12.corp.ebay.com>

On our last WG call, we raised the issue of URI fragments in CSP reports.   Currently, the specification calls for the "HTTP request line of the protected resource whose policy was violated including method, URI and HTTP version".  This would exclude URI fragments as they are not sent with the request, but processed locally in the User-Agent.  This appears to be correct behavior, as fragments are sometimes used for private context and should not leak, especially in non-same-origin reports.

I would like to propose that the spec be amended to explicitly forbid the sending of URI fragments as a clarification.  Are we aware of any cases where this prohibition would negatively impact the usefulness of the reports?

Brad Hill

Received on Tuesday, 31 January 2012 00:25:24 UTC