RE: Batching CSP violation reports. from Hill, Brad on 2012-11-05 (public-webappsec@w3.org from November 2012)

From: Hill, Brad <bhill@paypal-inc.com>
Date: Mon, 5 Nov 2012 18:15:02 +0000
To: Mike West <mkwst@google.com>, Ian Melven <imelven@mozilla.com>
CC: Alex Russell <slightlyoff@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E2DD55F@DEN-EXDDA-S12.corp.ebay.com>

Agreed.  In particular, for UI Safety events that also result in an event being fired (report-only mode) it may be desirable to have the report sent in a timely manner to make correlation and application of report information into decisions about risk and disposition/fulfillment of the request.

-Brad

From: Mike West [mailto:mkwst@google.com]
Sent: Monday, November 05, 2012 1:06 PM
To: Ian Melven
Cc: Alex Russell; public-webappsec@w3.org
Subject: Re: Batching CSP violation reports.

On Mon, Nov 5, 2012 at 6:03 PM, Ian Melven <imelven@mozilla.com<mailto:imelven@mozilla.com>> wrote:
Would these be aggregated at the document-uri level ? ie all violations for a particular document would be batched ?

I don't think the spec should mandate a behavior. My suggestion is simply that the 1.1 spec allow multiple reports to be sent in a single POST. I'd expect user agents to be able to determine the most effective behavior based on context. It might make sense to send one report for a protected resource, or it might make sense to send one report every X seconds, or any of a number of possible mechanisms.

-mike

Received on Monday, 5 November 2012 18:15:33 UTC