- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Tue, 18 Jun 2013 08:43:43 -0700
- To: Ken Lee <kennysan@gmail.com>
- CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
Received on Tuesday, 18 June 2013 15:44:18 UTC
On 6/17/2013 9:30 AM, Ken Lee wrote: > Also--I thought CSP 1.0 forbid submitting reports to an endpoint that > wasn't the same host, port, scheme as the host? Early drafts did, but the current nearly-official spec makes no restrictions. The Firefox implementation still restricts the report-uri to the same base domain, defined as the "public suffix" plus one label (e.g. foo.me.com and bar.me.com could both send reports to baz.me.com) The bug to loosen this is https://bugzilla.mozilla.org/show_bug.cgi?id=843311 -Dan Veditz
Received on Tuesday, 18 June 2013 15:44:18 UTC