We should probably consider allowing CSP violation reports to be batched up. Right now we're making one HTTP POST per violation; it might be a good idea to continue to allow that behavior, but also allow multiple 'csp-report' objects to be batched up in a single request for efficiency. I'd suggest allowing them to be simply joined an array of such objects: [ { "csp-report": { "document-uri": "http://example.org/page.html", "referrer": "http://evil.example.com/haxor.html", "blocked-uri": "http://evil.example.com/image.png", "violated-directive": "default-src 'self'", "original-policy": "default-src 'self'; report-uri http://example.org/csp-report.cgi" } }, { "csp-report": { "document-uri": "http://example.org/page.html", "referrer": "http://evil.example.com/haxor.html", "blocked-uri": "http://evil.example.com/image.png", "violated-directive": "default-src 'self'", "original-policy": "default-src 'self'; report-uri http://example.org/csp-report.cgi" } } ] WDYT? -- Mike West <mkwst@google.com>, Developer Advocate Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91Received on Monday, 5 November 2012 16:54:16 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:30 UTC