Re: CSP: set of report URIs

On Thu, Mar 28, 2013 at 5:01 PM, Hill, Brad <> wrote:
> What about the following proposal to limit the CSRF-type risks of CSP reports:
> 1. Require the report POST to be anonymous, per CORS.
> 2. Change the content-type from "application/json" to "application/csp-report"

I don't really see how that's not breaking the <form> invariant. It's
still allows a new type of data to be posted to an unsuspecting
intranet. Admittedly the risk does seem fairly low, but people have
got upset over less.


Received on Thursday, 28 March 2013 17:39:55 UTC