- From: Henry Wong <henrywong@google.com>
- Date: Fri, 2 Aug 2013 13:49:23 +0200
- To: public-webappsec@w3.org
- Cc: Mike West <mkwst@google.com>, Adam Barth <abarth@google.com>, Jad Boutros <jad@google.com>
Received on Friday, 2 August 2013 11:49:50 UTC
Hi, I'd like to propose that CSP reports include the Javascript stack trace that resulted in loading the forbidden resource (similar to window.onerror). In many large web applications (eg: Google+) it's almost impossible to figure out why a report was sent. The document uri is typically just " http://plus.google.com" which doesn't really give us enough context to know what the user was doing. For example, if an XSS spreads via users' chat status then a stack trace that pointed to the status message code would be much more useful than something that just said there was a report sent from somewhere on the page. I filed issue 266151<https://code.google.com/p/chromium/issues/detail?id=266151>for this and Adam suggested that I raise it on the list and see what people thought. Does this sound useful to other people? Henry
Received on Friday, 2 August 2013 11:49:50 UTC