Re: De-duplicating violation reports? from Daniel Veditz on 2013-08-03 (public-webappsec@w3.org from August 2013)

From: Daniel Veditz <dveditz@mozilla.com>
Date: Sat, 03 Aug 2013 16:40:01 -0700
To: Devdatta Akhawe <dev.akhawe@gmail.com>
CC: Neil Matatall <neilm@twitter.com>, Brad Hill <bhill@paypal-inc.com>, public-webappsec@w3.org, Mike West <mkwst@google.com>
Message-ID: <51FD94D1.8060600@mozilla.com>

On 8/1/2013 10:19 AM, Devdatta Akhawe wrote:
> I think it is useful to have, but I am not sure what the advantage of
> spec'ing it would be. Maybe just leave it as a suggestion
> (non-normative?) in the spec? UAs can either implement dedup, or a
> throttle, or bunch up multiple reports into a single request. The spec
> is better off leaving it to the UA and its developers.

That could lead to web authors having to turn off reports to prevent
being swamped if one of the major browsers doesn't de-duplicate. Since
duplicate reports are never useful to the web author we should remove
this potential source of abuse.

-Dan Veditz

Attachments

application/pkcs7-signature attachment: S/MIME Cryptographic Signature

Received on Saturday, 3 August 2013 23:40:31 UTC