Re: Trigger a DOM event/error when a CSP violation happens.

If we can't debug the origin of the alert, it's impossible for us to
differentiate an attack from a bug like this.


On Fri, Oct 26, 2012 at 4:12 PM, John J Barton
<johnjbarton@johnjbarton.com>wrote:

> On Fri, Oct 26, 2012 at 3:53 PM, Dan Veditz <dveditz@mozilla.com> wrote:
> ...
> > Such APIs would be out of scope for this WG so I'd just like to state the
> > privacy principal that user-agent supplied policies do not report
> violations
> > to the originating server or page content.
>
> Similarly, extension supplied policies should not report. Otherwise
> web pages can probe the users installed extensions.
>
> jjb
>
> > I'm not against firing events at
> > the page for violations of the page's own policy.
> >
> > -Dan Veditz
> >
>

Received on Friday, 26 October 2012 23:17:24 UTC