- From: Fred Andrews <fredandw@live.com>
- Date: Mon, 15 Oct 2012 14:36:16 +0000
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Received on Monday, 15 October 2012 14:36:46 UTC
Does the CSP report-uri need to satisfy the same-origin restrictions? Sorry it did not pop out at me reading the spec. and given that reporting seems to be silent to the user in most implementations it would appear to be a DDOS attack issue. The matter is addressed here in section 'Restrictions on policy-uri and report-uri': https://wiki.mozilla.org/Security/CSP/Specification cheers Fred
Received on Monday, 15 October 2012 14:36:46 UTC