Re: Trigger a DOM event/error when a CSP violation happens.

On 11/22/12 4:35 AM, Mike West wrote:
> What do you think about making such a feature an opt-in portion of the
> policy by adding a `'self'` keyword to the `report-uri` directive? If
> the keyword is set, violation events would be fired at the
> `document.securityPolicy` object; if not, no violation events would fire
> for that policy.

I like the concept but have concerns over re-using 'self'. This is a 
completely different 'self', the page vs. the origin server elsewhere. 
Maybe something like 'page','events' or 'enable-events'? Those aren't 
even close to a "URI" though and it's too late to change the report-uri 
directive name -- maybe 'self' wasn't so bad.

I prefer opt-in, but a similar syntax for opt-out could be
    report-uri 'no-events' <sites>;

When you describe this as an "event" do you mean a DOM Event conforming 
to the DOM Level 3 Events spec? Does that mean document.securityPolicy 
is a DOM Node somehow? Maybe we should target the document itself instead.

-Dan Veditz

Received on Wednesday, 28 November 2012 07:11:14 UTC