Re: Batching CSP violation reports.

+1


On Mon, Nov 5, 2012 at 4:53 PM, Mike West <mkwst@google.com> wrote:

> We should probably consider allowing CSP violation reports to be batched
> up. Right now we're making one HTTP POST per violation; it might be a good
> idea to continue to allow that behavior, but also allow multiple
> 'csp-report' objects to be batched up in a single request for efficiency.
>
> I'd suggest allowing them to be simply joined an array of such objects:
>
> [
>   {
>     "csp-report": {
>       "document-uri": "http://example.org/page.html",
>       "referrer": "http://evil.example.com/haxor.html",
>       "blocked-uri": "http://evil.example.com/image.png",
>       "violated-directive": "default-src 'self'",
>       "original-policy": "default-src 'self'; report-uri
> http://example.org/csp-report.cgi"
>     }
>   },
>   {
>     "csp-report": {
>       "document-uri": "http://example.org/page.html",
>       "referrer": "http://evil.example.com/haxor.html",
>       "blocked-uri": "http://evil.example.com/image.png",
>       "violated-directive": "default-src 'self'",
>       "original-policy": "default-src 'self'; report-uri
> http://example.org/csp-report.cgi"
>     }
>   }
> ]
>
> WDYT?
>
> --
> Mike West <mkwst@google.com>, Developer Advocate
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
>

Received on Monday, 5 November 2012 18:44:49 UTC