Re: CSP: set of report URIs from Mike West on 2013-03-19 (public-webappsec@w3.org from March 2013)

From: Mike West <mkwst@google.com>
Date: Tue, 19 Mar 2013 15:54:25 +0100
To: Anne van Kesteren <annevk@annevk.nl>
Cc: WebAppSec WG <public-webappsec@w3.org>, "dveditz@mozilla.com" <dveditz@mozilla.com>
Message-ID: <CAKXHy=fxiVYhPnDd=h471wYzoCEhA455WkR8k1HUTd4hv_g1Dw@mail.gmail.com>

There is not a guarantee that the report URIs are same-origin, though I
believe Mozilla enforces that requirement (Daniel? Can you confirm?).

WebKit uses the same mechanism for these requests as used for hyperlink
auditing, which has similar requirements. Can you elaborate on the value of
adding a CORS preflight to the mix?

-mike

--
Mike West <mkwst@google.com>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

On Tue, Mar 19, 2013 at 12:16 PM, Anne van Kesteren <annevk@annevk.nl>wrote:

> Is this set of URLs guaranteed to be same-origin somehow? Doing a
> cross-origin POST request with a JSON entity body is not something
> either <form> or XMLHttpRequest with CORS can do so would require at
> least a CORS preflight.
>
>
> --
> http://annevankesteren.nl/
>
>

Received on Tuesday, 19 March 2013 14:55:20 UTC