When triggering default-src, report type of violation from Neil Matatall on 2013-01-15 (public-webappsec@w3.org from January 2013)

From: Neil Matatall <neilm@twitter.com>
Date: Mon, 14 Jan 2013 18:13:58 -0800
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAOFLtbiTw1QwHGxx5OGciAFnGwe7NYsy36Qm4Q9oZxc9_1t_wg@mail.gmail.com>

When I receive a CSP report that was triggered by a default-src violation
Then I would like to receive data indicating what type of violation
occurred.

When applying a policy, I copy default-src into any directive that doesn't
have a value so when I receive the report, I know what type of violation
occurred. With inline/eval, this isn't an issue because it's obviously
script and script-src is usually defined anyhow :)

Without this, I cannot tell whether it was a frame-src, font-src,
connect-src, etc. violation because all I see is default-src in the
violated directive field.

Thoughts?

Received on Tuesday, 15 January 2013 02:14:26 UTC