Batching CSP violation reports.

We should probably consider allowing CSP violation reports to be batched
up. Right now we're making one HTTP POST per violation; it might be a good
idea to continue to allow that behavior, but also allow multiple
'csp-report' objects to be batched up in a single request for efficiency.

I'd suggest allowing them to be simply joined an array of such objects:

[
  {
    "csp-report": {
      "document-uri": "http://example.org/page.html",
      "referrer": "http://evil.example.com/haxor.html",
      "blocked-uri": "http://evil.example.com/image.png",
      "violated-directive": "default-src 'self'",
      "original-policy": "default-src 'self'; report-uri
http://example.org/csp-report.cgi"
    }
  },
  {
    "csp-report": {
      "document-uri": "http://example.org/page.html",
      "referrer": "http://evil.example.com/haxor.html",
      "blocked-uri": "http://evil.example.com/image.png",
      "violated-directive": "default-src 'self'",
      "original-policy": "default-src 'self'; report-uri
http://example.org/csp-report.cgi"
    }
  }
]

WDYT?

--
Mike West <mkwst@google.com>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Received on Monday, 5 November 2012 16:54:16 UTC