- From: Pete Freitag <pete@foundeo.com>
- Date: Thu, 1 Aug 2013 11:30:55 -0400
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Received on Sunday, 4 August 2013 11:53:13 UTC
On Thu, Aug 1, 2013 at 5:55 AM, Mike West <mkwst@google.com> wrote: > What do you folks think about going one step further than rate-limiting > the reporting by deduplicating the reports so that we send a unique JSON > object once and only once per page load? > Great idea! I think rate limiting the CSP violation reports still adds value as well, I've seen some cases where a server side debugging or error template that uses inline css or js in a loop can cause thousands of reports to trigger on a single page request. If an attacker finds a way to trigger such an output they could DOS the report collection servers. > Is there value I'm missing in getting violation reports for each instance > of a violation? > I don't see any lost value, as long as the json representation you are comparing also includes the source-file, line-number and column-number of the violation (a CSP1.1 csp-report) then it could be skipped IMHO. -- Pete Freitag http://content-security-policy.com/ - CSP Quick Reference
Received on Sunday, 4 August 2013 11:53:13 UTC