- From: Mike West <mkwst@google.com>
- Date: Thu, 1 Aug 2013 11:55:47 +0200
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAKXHy=d1hiko91_QwJr_2Gh_t5z04Cm3++-3y8NDoEwd+-=ZZQ@mail.gmail.com>
While poking at a bug in Blink's support of 'eval()' in report-only
mode[1], Adam suggested rate-limiting the reporting to avoid a tight loop
sending a great number of violation reports. That is, given a report-only
policy that doesn't whitelist 'eval()', the following code will generate
the same JSON object 1,000 times.
for (i=0; i<1000; i++)
eval(...);
What do you folks think about going one step further than rate-limiting the
reporting by deduplicating the reports so that we send a unique JSON object
once and only once per page load? I could imagine changing the "send
violation reports" steps to compare the JSON object against a list of the
objects we've already sent, and abort if there's an exact match.
Is there value I'm missing in getting violation reports for each instance
of a violation?
[1]: https://codereview.chromium.org/19787002/
--
Mike West <mkwst@google.com>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
Received on Thursday, 1 August 2013 09:56:36 UTC