W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2013

Re: CSP: set of report URIs

From: Anne van Kesteren <annevk@annevk.nl>
Date: Tue, 19 Mar 2013 11:11:42 -0400
Message-ID: <CADnb78h0Tfq==rH9K_phFk21xERhT7sdNq_5nBJnhjk68zvVog@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: WebAppSec WG <public-webappsec@w3.org>, "dveditz@mozilla.com" <dveditz@mozilla.com>
On Tue, Mar 19, 2013 at 10:54 AM, Mike West <mkwst@google.com> wrote:
> There is not a guarantee that the report URIs are same-origin, though I
> believe Mozilla enforces that requirement (Daniel? Can you confirm?).
> WebKit uses the same mechanism for these requests as used for hyperlink
> auditing, which has similar requirements. Can you elaborate on the value of
> adding a CORS preflight to the mix?

The problem is that you are doing something that was not possible thus
far and thus it may have security implications. That's whole reason
why CORS requires a preflight. Hyperlink auditing seems quite
constrained, but yeah, I did forget that does something that <form>
does not allow. Then again, I'm not sure that's a reason to open this
up even further.

Received on Tuesday, 19 March 2013 15:12:10 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:32 UTC