- From: Hill, Brad <bhill@paypal-inc.com>
- Date: Fri, 15 Feb 2013 22:16:29 +0000
- To: John Wilander <john.wilander@owasp.org>, public-webappsec <public-webappsec@w3.org>
John, The fragment identifier is not transmitted to nor typically known by the server, and this is used as a security property by some systems such as web-keys. (http://waterken.sourceforge.net/web-key/) Section 14.36 of RFC 2616, which governs use of the Referer header, also states that: "The URI MUST NOT include a fragment." We didn't want CSP reporting to become a way to violate those assumptions, deliberately or accidentally. -Brad From: John Wilander [mailto:john.wilander@owasp.org] Sent: Wednesday, February 13, 2013 2:27 AM To: public-webappsec Subject: Re: Why no fragment part in CSP-report document-uri? 2013/2/13 John Wilander <john.wilander@owasp.org> document-uri The address of the protected resource, with any <fragment> component removed. Sorry, I meant the ... blocked-uri URI of the resource that was prevented from loading due to the policy violation, with any <fragment> component removed, or the empty string if the resource has no URI (inline script and inline style, for example). Still. /John -- John Wilander, https://twitter.com/johnwilander Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com Conf Comm, http://www.owasp.org/index.php/Global_Conferences_Committee My music http://www.johnwilander.com & my résumé http://johnwilander.se
Received on Friday, 15 February 2013 22:17:00 UTC