I think the DOM Event that Mike West is proposing can be used by people that might want to do more things. So while I would like to be able to pinpoint users in reports to facilitate debugging, I can do it ad-hoc rather than always, which is also good because it makes the log-collection consequences of using report-uri a lot simpler. On Thu, Mar 28, 2013 at 10:55 AM, Neil Matatall <neilm@twitter.com> wrote: > This works for Twitter's use case. I'm curious to see what other > people backing cross-host posting say (I hope we aren't the only > ones!). We do not analyze the reports from the public with anything > identifiable. > > On Thu, Mar 28, 2013 at 10:39 AM, Anne van Kesteren <annevk@annevk.nl> > wrote: > > On Thu, Mar 28, 2013 at 5:01 PM, Hill, Brad <bhill@paypal-inc.com> > wrote: > >> What about the following proposal to limit the CSRF-type risks of CSP > reports: > >> > >> 1. Require the report POST to be anonymous, per CORS. > >> 2. Change the content-type from "application/json" to > "application/csp-report" > > > > I don't really see how that's not breaking the <form> invariant. It's > > still allows a new type of data to be posted to an unsuspecting > > intranet. Admittedly the risk does seem fairly low, but people have > > got upset over less. > > > > > > -- > > http://annevankesteren.nl/ > > > >
Received on Thursday, 28 March 2013 19:13:59 UTC