W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2013

Re: De-duplicating violation reports?

From: Mike West <mkwst@google.com>
Date: Mon, 5 Aug 2013 16:06:31 +0200
Message-ID: <CAKXHy=fnx0xPRVW4GdWbWhme5H7ELZJMwGb=AvKouCwf0Ce+FA@mail.gmail.com>
To: Pete Freitag <pete@foundeo.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
I've made two changes to the draft based on this thread:

1. User agents _may_ abort sending a report if they've already sent the
same report for a particular resource:
https://dvcs.w3.org/hg/content-security-policy/rev/3f78b10650a9

2. Violation reports are (more) explicitly asynchronous, giving the user
agent more explicit control over when they're sent:
https://dvcs.w3.org/hg/content-security-policy/rev/298a82fd4068

What do you think?

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores


On Thu, Aug 1, 2013 at 5:30 PM, Pete Freitag <pete@foundeo.com> wrote:

> On Thu, Aug 1, 2013 at 5:55 AM, Mike West <mkwst@google.com> wrote:
>
>> What do you folks think about going one step further than rate-limiting
>> the reporting by deduplicating the reports so that we send a unique JSON
>> object once and only once per page load?
>>
>
> Great idea!
>
> I think rate limiting the CSP violation reports still adds value as well,
> I've seen some cases where a server side debugging or error template that
> uses inline css or js in a loop can cause thousands of reports to trigger
> on a single page request. If an attacker finds a way to trigger such an
> output they could DOS the report collection servers.
>
>
>> Is there value I'm missing in getting violation reports for each instance
>> of a violation?
>>
>
> I don't see any lost value, as long as the json representation you are
> comparing also includes the source-file, line-number and column-number of
> the violation (a CSP1.1 csp-report) then it could be skipped IMHO.
>
> --
> Pete Freitag
> http://content-security-policy.com/ - CSP Quick Reference
>
Received on Monday, 5 August 2013 14:07:23 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:02 UTC