Re: cspBuilder Wizard

On 6/17/2013 9:30 AM, Ken Lee wrote:
> Also--I thought CSP 1.0 forbid submitting reports to an endpoint that
> wasn't the same host, port, scheme as the host?

Early drafts did, but the current nearly-official spec makes no
restrictions. The Firefox implementation still restricts the report-uri
to the same base domain, defined as the "public suffix" plus one label
(e.g. foo.me.com and bar.me.com could both send reports to baz.me.com)

The bug to loosen this is
https://bugzilla.mozilla.org/show_bug.cgi?id=843311

-Dan Veditz

Received on Tuesday, 18 June 2013 15:44:18 UTC