- From: John Wilander <john.wilander@owasp.org>
- Date: Wed, 13 Feb 2013 11:23:31 +0100
- To: public-webappsec <public-webappsec@w3.org>
- Message-ID: <CALrECXBEV9y182wDOx7ac-XJeJvaWj2P_=mzfsZhMPy+tw74nQ@mail.gmail.com>
Hi! The CSP report spec says ( https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#report-uri ): csp-report A JSON object containing the following keys and values: *document-uri**The address<http://www.w3.org/TR/html5/dom.html#the-document%27s-address>of the protected resource, with any <fragment> <http://www.w3.org/TR/html5/urls.html#url-fragment> component removed.* This is a problem for stateful Ajax applications using so called hashbang URLs for navigation and application state, e.g. https://example.com/#!purchase/checkout/billing. You just cannot tell where the user was in the application when the CSP violation happened for such applications. I'm aware that data after the fragment identifier should not be sent to the server in regular HTTP requests. However, does that rule have to apply to CSP reports? Or are there other reasons for the "fragment component removed" spec rule? Could we make it configurable in the policy header? I've been digging through quite some CSP reports lately and I can assure you this is a significant problem. Regards, John -- John Wilander, https://twitter.com/johnwilander Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com Conf Comm, http://www.owasp.org/index.php/Global_Conferences_Committee My music http://www.johnwilander.com & my résumé http://johnwilander.se
Received on Wednesday, 13 February 2013 10:23:59 UTC