W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2013

Re: Including the Javascript stack trace in the ContentSecurityPolicy report

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Fri, 02 Aug 2013 07:53:56 -0400
Message-ID: <51FB9DD4.1020407@mit.edu>
To: public-webappsec@w3.org
On 8/2/13 7:49 AM, Henry Wong wrote:
> I'd like to propose that CSP reports include the Javascript stack trace
> that resulted in loading the forbidden resource (similar to window.onerror).

Can you define "resulted"?  For example if I createElement("iframe"), 
then set the src, then insert it into the document, which of those 
operations "results" in the load?

Note also that load are in many cases triggered asynchronously and can 
be coalesced across various DOM mutations, so any implementation of this 
might significantly slow down DOM mutations that might result in loads.  :(

-Boris
Received on Friday, 2 August 2013 11:54:25 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:02 UTC