- From: Neil Matatall <neilm@twitter.com>
- Date: Thu, 28 Mar 2013 10:55:27 -0700
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: "Hill, Brad" <bhill@paypal-inc.com>, WebAppSec WG <public-webappsec@w3.org>
This works for Twitter's use case. I'm curious to see what other people backing cross-host posting say (I hope we aren't the only ones!). We do not analyze the reports from the public with anything identifiable. On Thu, Mar 28, 2013 at 10:39 AM, Anne van Kesteren <annevk@annevk.nl> wrote: > On Thu, Mar 28, 2013 at 5:01 PM, Hill, Brad <bhill@paypal-inc.com> wrote: >> What about the following proposal to limit the CSRF-type risks of CSP reports: >> >> 1. Require the report POST to be anonymous, per CORS. >> 2. Change the content-type from "application/json" to "application/csp-report" > > I don't really see how that's not breaking the <form> invariant. It's > still allows a new type of data to be posted to an unsuspecting > intranet. Admittedly the risk does seem fairly low, but people have > got upset over less. > > > -- > http://annevankesteren.nl/ >
Received on Thursday, 28 March 2013 17:56:00 UTC