W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2013

Re: cspBuilder Wizard

From: Daniel Veditz <dveditz@mozilla.com>
Date: Tue, 18 Jun 2013 08:43:43 -0700
Message-ID: <51C0802F.3050004@mozilla.com>
To: Ken Lee <kennysan@gmail.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
On 6/17/2013 9:30 AM, Ken Lee wrote:
> Also--I thought CSP 1.0 forbid submitting reports to an endpoint that
> wasn't the same host, port, scheme as the host?

Early drafts did, but the current nearly-official spec makes no
restrictions. The Firefox implementation still restricts the report-uri
to the same base domain, defined as the "public suffix" plus one label
(e.g. foo.me.com and bar.me.com could both send reports to baz.me.com)

The bug to loosen this is
https://bugzilla.mozilla.org/show_bug.cgi?id=843311

-Dan Veditz



Received on Tuesday, 18 June 2013 15:44:18 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:02 UTC