- From: Mike West <mkwst@google.com>
- Date: Mon, 5 Nov 2012 17:53:23 +0100
- To: public-webappsec@w3.org
- Cc: Alex Russell <slightlyoff@google.com>
- Message-ID: <CAKXHy=dzsxkyCNbDD409C-W_v7S-X0rJp_1VYHmP6bckgReTwQ@mail.gmail.com>
We should probably consider allowing CSP violation reports to be batched
up. Right now we're making one HTTP POST per violation; it might be a good
idea to continue to allow that behavior, but also allow multiple
'csp-report' objects to be batched up in a single request for efficiency.
I'd suggest allowing them to be simply joined an array of such objects:
[
{
"csp-report": {
"document-uri": "http://example.org/page.html",
"referrer": "http://evil.example.com/haxor.html",
"blocked-uri": "http://evil.example.com/image.png",
"violated-directive": "default-src 'self'",
"original-policy": "default-src 'self'; report-uri
http://example.org/csp-report.cgi"
}
},
{
"csp-report": {
"document-uri": "http://example.org/page.html",
"referrer": "http://evil.example.com/haxor.html",
"blocked-uri": "http://evil.example.com/image.png",
"violated-directive": "default-src 'self'",
"original-policy": "default-src 'self'; report-uri
http://example.org/csp-report.cgi"
}
}
]
WDYT?
--
Mike West <mkwst@google.com>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
Received on Monday, 5 November 2012 16:54:16 UTC