- From: Adam Barth <w3c@adambarth.com>
- Date: Sat, 20 Apr 2013 16:00:55 -0700
- To: Mike West <mkwst@google.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Received on Saturday, 20 April 2013 23:01:55 UTC
If we're sending the line number, I don't see any harm in sending the column number as well. Adam On Sat, Apr 20, 2013 at 2:21 PM, Mike West <mkwst@google.com> wrote: > From https://github.com/blog/1477-content-security-policy: > > "Depending on the browser, the report payload can be pretty vague. You're > lucky to get a line number (without any offset) on a minified js file when > a script triggers a violation. It's usually impossible to tell if the error > is happening in your JS or some extension inject code. " > > Does anyone have any objection to adding column numbers to CSP 1.1's > violation reports and securitypolicyviolation events? I don't think it adds > anything relevant from a privacy perspective above and beyond line numbers, > but it could certainly be useful for detail in minified code. > > -mike > > -- > Mike West <mkwst@google.com>, Developer Advocate > Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany > Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 >
Received on Saturday, 20 April 2013 23:01:55 UTC