Re: Report-uri same-origin restrictions?

On Mon, Oct 15, 2012 at 7:36 AM, Fred Andrews <> wrote:
> Does the CSP report-uri need to satisfy the same-origin restrictions?

Nope.  An earlier version of the specification had that requirement,
but the current version does not.

> Sorry it did not pop out at me reading the spec. and given that reporting
> seems to be silent to the user in most implementations it would appear to be
> a DDOS attack issue.

It's not any more of a DDOS issue than the <img> element.


Received on Monday, 15 October 2012 16:08:57 UTC