W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2013

Re: cspBuilder Wizard

From: Daniel Veditz <dveditz@mozilla.com>
Date: Tue, 18 Jun 2013 08:43:43 -0700
Message-ID: <51C0802F.3050004@mozilla.com>
To: Ken Lee <kennysan@gmail.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
On 6/17/2013 9:30 AM, Ken Lee wrote:
> Also--I thought CSP 1.0 forbid submitting reports to an endpoint that
> wasn't the same host, port, scheme as the host?

Early drafts did, but the current nearly-official spec makes no
restrictions. The Firefox implementation still restricts the report-uri
to the same base domain, defined as the "public suffix" plus one label
(e.g. foo.me.com and bar.me.com could both send reports to baz.me.com)

The bug to loosen this is

-Dan Veditz

Received on Tuesday, 18 June 2013 15:44:18 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:33 UTC