W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2013

Re: De-duplicating violation reports?

From: Pete Freitag <pete@foundeo.com>
Date: Thu, 1 Aug 2013 11:30:55 -0400
Message-ID: <CAADZ8V4KcnvDaKehw_=L--8xRH2eDecK3s48+we3duZ3QowT3g@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Aug 1, 2013 at 5:55 AM, Mike West <mkwst@google.com> wrote:

> What do you folks think about going one step further than rate-limiting
> the reporting by deduplicating the reports so that we send a unique JSON
> object once and only once per page load?

Great idea!

I think rate limiting the CSP violation reports still adds value as well,
I've seen some cases where a server side debugging or error template that
uses inline css or js in a loop can cause thousands of reports to trigger
on a single page request. If an attacker finds a way to trigger such an
output they could DOS the report collection servers.

> Is there value I'm missing in getting violation reports for each instance
> of a violation?

I don't see any lost value, as long as the json representation you are
comparing also includes the source-file, line-number and column-number of
the violation (a CSP1.1 csp-report) then it could be skipped IMHO.

Pete Freitag
http://content-security-policy.com/ - CSP Quick Reference
Received on Sunday, 4 August 2013 11:53:13 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:34 UTC