RE: De-duplicating violation reports?

<hat = website operator>

I agree it is much more valuable to receive reports that are de-duplicated for each instantiation of a resource.
From: Mike West []
Sent: Thursday, August 01, 2013 2:55 AM
Subject: De-duplicating violation reports?

While poking at a bug in Blink's support of 'eval()' in report-only mode[1], Adam suggested rate-limiting the reporting to avoid a tight loop sending a great number of violation reports. That is, given a report-only policy that doesn't whitelist 'eval()', the following code will generate the same JSON object 1,000 times.

    for (i=0; i<1000; i++)

What do you folks think about going one step further than rate-limiting the reporting by deduplicating the reports so that we send a unique JSON object once and only once per page load? I could imagine changing the "send violation reports" steps to compare the JSON object against a list of the objects we've already sent, and abort if there's an exact match.

Is there value I'm missing in getting violation reports for each instance of a violation?


Mike West <<>>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Google+:, Twitter: @mikewest, Cell: +49 162 10 255 91

Received on Thursday, 1 August 2013 16:36:04 UTC