- From: Mike West <mkwst@google.com>
- Date: Mon, 5 Nov 2012 17:53:23 +0100
- To: public-webappsec@w3.org
- Cc: Alex Russell <slightlyoff@google.com>
- Message-ID: <CAKXHy=dzsxkyCNbDD409C-W_v7S-X0rJp_1VYHmP6bckgReTwQ@mail.gmail.com>
We should probably consider allowing CSP violation reports to be batched up. Right now we're making one HTTP POST per violation; it might be a good idea to continue to allow that behavior, but also allow multiple 'csp-report' objects to be batched up in a single request for efficiency. I'd suggest allowing them to be simply joined an array of such objects: [ { "csp-report": { "document-uri": "http://example.org/page.html", "referrer": "http://evil.example.com/haxor.html", "blocked-uri": "http://evil.example.com/image.png", "violated-directive": "default-src 'self'", "original-policy": "default-src 'self'; report-uri http://example.org/csp-report.cgi" } }, { "csp-report": { "document-uri": "http://example.org/page.html", "referrer": "http://evil.example.com/haxor.html", "blocked-uri": "http://evil.example.com/image.png", "violated-directive": "default-src 'self'", "original-policy": "default-src 'self'; report-uri http://example.org/csp-report.cgi" } } ] WDYT? -- Mike West <mkwst@google.com>, Developer Advocate Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
Received on Monday, 5 November 2012 16:54:16 UTC