Include page http response code in CSP reports? from Neil Matatall on 2013-03-19 (public-webappsec@w3.org from March 2013)

From: Neil Matatall <neilm@twitter.com>
Date: Tue, 19 Mar 2013 13:16:33 -0700
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAOFLtbiCfYdnC9m8mmrFjQH-7SDx_vf7PNj4gqVhjSe-Xx0FUQ@mail.gmail.com>

I'm still not entirely convinced this is worthwhile… just another data
point to collect

Our 404 page is the same across all applications. The response is
intercepted and replaced with static content. In this case, the 404 page
keeps the response headers which causes all kinds of mayhem.

Having the response code of the page may help those aggregating reports
better understand what is going on. I'm having trouble of thinking of other
use cases for this feature.

Our 404 page was not CSP-friendly at all. Being able to see the common
response code would have helped us narrow it down sooner. For those who
return 200s for all 2xx, 4xx, and 5xx response codes, this obviously has no
benefit.

I could see potential privacy issues here, but that is not my area of
expertise so I'll let others pick that apart.

Received on Tuesday, 19 March 2013 20:17:05 UTC