Re: Batching CSP violation reports.

Great suggestion. A couple weeks ago at OWASP AppSec USA, I received feedback from a few different sites who are implementing
CSP to various degrees. The amount of violation report messages received was raised as an issue
multiple times, so there's at least anecdotal evidence that this is something that could be improved.

Would these be aggregated at the document-uri level ? ie all violations for a particular document
would be batched ? 

thanks for bringing this up !
ian
 

----- Original Message -----
From: "Mike West" <mkwst@google.com>
To: public-webappsec@w3.org
Cc: "Alex Russell" <slightlyoff@google.com>
Sent: Monday, November 5, 2012 8:53:23 AM
Subject: Batching CSP violation reports.



We should probably consider allowing CSP violation reports to be batched up. Right now we're making one HTTP POST per violation; it might be a good idea to continue to allow that behavior, but also allow multiple 'csp-report' objects to be batched up in a single request for efficiency. 


I'd suggest allowing them to be simply joined an array of such objects: 



[ 
{ 
"csp-report": { 
"document-uri": " http://example.org/page.html ", 
"referrer": " http://evil.example.com/haxor.html ", 
"blocked-uri": " http://evil.example.com/image.png ", 
"violated-directive": "default-src 'self'", 
"original-policy": "default-src 'self'; report-uri http://example.org/csp-report.cgi " 
} 
}, 
{ 
"csp-report": { 
"document-uri": " http://example.org/page.html ", 
"referrer": " http://evil.example.com/haxor.html ", 
"blocked-uri": " http://evil.example.com/image.png ", 
"violated-directive": "default-src 'self'", 
"original-policy": "default-src 'self'; report-uri http://example.org/csp-report.cgi " 
} 
} 
] 


WDYT? 

-- 
Mike West < mkwst@google.com >, Developer Advocate 
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany 
Google+: https://mkw.st/+ , Twitter: @mikewest, Cell: +49 162 10 255 91

Received on Monday, 5 November 2012 17:03:40 UTC