W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2013

Re: De-duplicating violation reports?

From: Pete Freitag <pete@foundeo.com>
Date: Thu, 1 Aug 2013 11:30:55 -0400
Message-ID: <CAADZ8V4KcnvDaKehw_=L--8xRH2eDecK3s48+we3duZ3QowT3g@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Aug 1, 2013 at 5:55 AM, Mike West <mkwst@google.com> wrote:

> What do you folks think about going one step further than rate-limiting
> the reporting by deduplicating the reports so that we send a unique JSON
> object once and only once per page load?
>

Great idea!

I think rate limiting the CSP violation reports still adds value as well,
I've seen some cases where a server side debugging or error template that
uses inline css or js in a loop can cause thousands of reports to trigger
on a single page request. If an attacker finds a way to trigger such an
output they could DOS the report collection servers.


> Is there value I'm missing in getting violation reports for each instance
> of a violation?
>

I don't see any lost value, as long as the json representation you are
comparing also includes the source-file, line-number and column-number of
the violation (a CSP1.1 csp-report) then it could be skipped IMHO.

--
Pete Freitag
http://content-security-policy.com/ - CSP Quick Reference
Received on Sunday, 4 August 2013 11:53:13 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:02 UTC