W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2013

Including the Javascript stack trace in the ContentSecurityPolicy report

From: Henry Wong <henrywong@google.com>
Date: Fri, 2 Aug 2013 13:49:23 +0200
Message-ID: <CALMso=Jdt_WnQ+18Q6wmwFoHENU8U0=GO5m7cjOEt2FeqJmkPw@mail.gmail.com>
To: public-webappsec@w3.org
Cc: Mike West <mkwst@google.com>, Adam Barth <abarth@google.com>, Jad Boutros <jad@google.com>

I'd like to propose that CSP reports include the Javascript stack trace
that resulted in loading the forbidden resource (similar to window.onerror).

In many large web applications (eg: Google+) it's almost impossible to
figure out why a report was sent. The document uri is typically just "
http://plus.google.com" which doesn't really give us enough context to know
what the user was doing. For example, if an XSS spreads via users' chat
status then a stack trace that pointed to the status message code would be
much more useful than something that just said there was a report sent from
somewhere on the page.

I filed issue 266151<https://code.google.com/p/chromium/issues/detail?id=266151>for
this and Adam suggested that I raise it on the list and see what
thought. Does this sound useful to other people?

Received on Friday, 2 August 2013 11:49:50 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:34 UTC