- From: Hill, Brad <bhill@paypal-inc.com>
- Date: Thu, 28 Mar 2013 17:01:48 +0000
- To: Anne van Kesteren <annevk@annevk.nl>, WebAppSec WG <public-webappsec@w3.org>
What about the following proposal to limit the CSRF-type risks of CSP reports: 1. Require the report POST to be anonymous, per CORS. 2. Change the content-type from "application/json" to "application/csp-report" ? -Brad > -----Original Message----- > From: annevankesteren@gmail.com [mailto:annevankesteren@gmail.com] On > Behalf Of Anne van Kesteren > Sent: Saturday, March 23, 2013 12:38 PM > To: WebAppSec WG > Subject: Re: CSP: set of report URIs > > On Tue, Mar 19, 2013 at 11:16 AM, Anne van Kesteren <annevk@annevk.nl> > wrote: > > Is this set of URLs guaranteed to be same-origin somehow? Doing a > > cross-origin POST request with a JSON entity body is not something > > either <form> or XMLHttpRequest with CORS can do so would require at > > least a CORS preflight. > > Note also that the invocation of fetch that is used does not limit credentials in > any way. That seems like a bug. > > > I created http://wiki.whatwg.org/wiki/HTTP_Fetch_Policy by the way where I > try to document what kind of requests can be made from a website. The idea is > to figure out if we actually have any kind of policy in place here or if we're just > doing something making wild guesses about whether what we do is secure or > not for the third party... I have the feeling we're quite inconsistent. > > > -- > http://annevankesteren.nl/
Received on Thursday, 28 March 2013 17:02:32 UTC