- From: Mike West <mkwst@google.com>
- Date: Tue, 15 Jan 2013 06:56:14 -0800
- To: Neil Matatall <neilm@twitter.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Received on Tuesday, 15 January 2013 14:57:06 UTC
Makes sense to me. What would you like to see in the violation report? Would something like `"violation-type": "image"` or `"violation-type": "frame"` be sufficient? -- Mike West <mkwst@google.com>, Developer Advocate Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 On Mon, Jan 14, 2013 at 6:13 PM, Neil Matatall <neilm@twitter.com> wrote: > When I receive a CSP report that was triggered by a default-src violation > Then I would like to receive data indicating what type of violation > occurred. > > When applying a policy, I copy default-src into any directive that doesn't > have a value so when I receive the report, I know what type of violation > occurred. With inline/eval, this isn't an issue because it's obviously > script and script-src is usually defined anyhow :) > > Without this, I cannot tell whether it was a frame-src, font-src, > connect-src, etc. violation because all I see is default-src in the > violated directive field. > > Thoughts? >
Received on Tuesday, 15 January 2013 14:57:06 UTC