- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Thu, 28 Mar 2013 17:39:28 +0000
- To: "Hill, Brad" <bhill@paypal-inc.com>
- Cc: WebAppSec WG <public-webappsec@w3.org>
On Thu, Mar 28, 2013 at 5:01 PM, Hill, Brad <bhill@paypal-inc.com> wrote: > What about the following proposal to limit the CSRF-type risks of CSP reports: > > 1. Require the report POST to be anonymous, per CORS. > 2. Change the content-type from "application/json" to "application/csp-report" I don't really see how that's not breaking the <form> invariant. It's still allows a new type of data to be posted to an unsuspecting intranet. Admittedly the risk does seem fairly low, but people have got upset over less. -- http://annevankesteren.nl/
Received on Thursday, 28 March 2013 17:39:55 UTC