Re: [webappsec] Including URI fragment in CSP reports (ACTION-43)

IMHO making fragment logging an *opt-in* feature of CSP reports would 
make them considerably more useful than plain HTTP logs in analyzing the 
actual intent of some DOM XSS attempts, but also of two-stages reflected 
XSS attacks like

http://acme.com/?xss=<script>eval(unescape(location))</script>#%0Aalert("surprise")

where the actual payload would be otherwise undetectable.

--
Giorgio Maone

Received on Tuesday, 31 January 2012 08:29:56 UTC