- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Tue, 19 Mar 2013 08:21:02 -0700
- To: Anne van Kesteren <annevk@annevk.nl>
- CC: WebAppSec WG <public-webappsec@w3.org>
On 3/19/2013 4:16 AM, Anne van Kesteren wrote:
> Is this set of URLs guaranteed to be same-origin somehow? Doing a
> cross-origin POST request with a JSON entity body is not something
> either <form> or XMLHttpRequest with CORS can do so would require at
> least a CORS preflight.
The original Mozilla implementation required the report-uri to be
same-origin with the document. Redirects were disallowed out of fears
that open redirects might be common on the sorts of complex sites that
could benefit from CSP.
After complaints that this was overly restrictive we relaxed the
requirement to "same base domain" where base domain was the first label
to the left of an item on our "effective TLD" list ("eTLD+1").
The CSP 1.0 spec has no restriction at all on report-uri because Adam
(for one) thinks the "effective domain" concept is a terrible idea that
must not spread to specs beyond cookies, and potential CSP users still
think same-origin is overly restrictive.
-Dan Veditz
Received on Tuesday, 19 March 2013 15:21:34 UTC