RE: Batching CSP violation reports.

Agreed.  In particular, for UI Safety events that also result in an event being fired (report-only mode) it may be desirable to have the report sent in a timely manner to make correlation and application of report information into decisions about risk and disposition/fulfillment of the request.


From: Mike West []
Sent: Monday, November 05, 2012 1:06 PM
To: Ian Melven
Cc: Alex Russell;
Subject: Re: Batching CSP violation reports.

On Mon, Nov 5, 2012 at 6:03 PM, Ian Melven <<>> wrote:
Would these be aggregated at the document-uri level ? ie all violations for a particular document would be batched ?

I don't think the spec should mandate a behavior. My suggestion is simply that the 1.1 spec allow multiple reports to be sent in a single POST. I'd expect user agents to be able to determine the most effective behavior based on context. It might make sense to send one report for a protected resource, or it might make sense to send one report every X seconds, or any of a number of possible mechanisms.


Received on Monday, 5 November 2012 18:15:33 UTC