- From: Ian Melven <imelven@mozilla.com>
- Date: Tue, 19 Mar 2013 09:01:23 -0700 (PDT)
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: WebAppSec WG <public-webappsec@w3.org>, Daniel Veditz <dveditz@mozilla.com>
----- Original Message ----- From: "Anne van Kesteren" <annevk@annevk.nl> To: "Daniel Veditz" <dveditz@mozilla.com> Cc: "WebAppSec WG" <public-webappsec@w3.org> Sent: Tuesday, March 19, 2013 8:28:12 AM Subject: Re: CSP: set of report URIs > I do agree with Adam that we (Mozilla) should not have done that. > Effective TLDs are no good and using effective TLDs here also opens up > things further than what <form> allows. Either we should be okay with > JSON payloads going cross-origin or we should keep the same-origin > restriction, or alternatively, we should make it a (one-way) CORS > request. Just a note that another option that has been discussed due to privacy concerns around the violation report payload is to allow sending the reports cross origin, but providing less detail than if they were going same origin. The same origin restriction as Dan said has been complained about by sites implementing CSP, particularly since only Gecko and not Webkit imposes it. CORS is an interesting idea, but I think one of the cases that people are concerned about is an attacker being able to use an injected CSP (particularly if <meta> CSP ends up widely implemented) to send violation data to their own server, which will obviously grant permission via CORS (same concern addressed via not allowing redirects on report POSTs IMO) thanks, ian
Received on Tuesday, 19 March 2013 16:01:54 UTC