Re: Batching CSP violation reports. from Mike West on 2012-11-05 (public-webappsec@w3.org from November 2012)

From: Mike West <mkwst@google.com>
Date: Mon, 5 Nov 2012 19:06:00 +0100
To: Ian Melven <imelven@mozilla.com>
Cc: Alex Russell <slightlyoff@google.com>, public-webappsec@w3.org
Message-ID: <CAKXHy=dyA+2M9WdcuKhHkZ=bqzkz---epH_hR5WFa5JMHSrLeg@mail.gmail.com>

On Mon, Nov 5, 2012 at 6:03 PM, Ian Melven <imelven@mozilla.com> wrote:

> Would these be aggregated at the document-uri level ? ie all violations
> for a particular document would be batched ?

I don't think the spec should mandate a behavior. My suggestion is simply
that the 1.1 spec allow multiple reports to be sent in a single POST. I'd
expect user agents to be able to determine the most effective behavior
based on context. It might make sense to send one report for a protected
resource, or it might make sense to send one report every X seconds, or any
of a number of possible mechanisms.

-mike

Received on Monday, 5 November 2012 18:06:48 UTC