I think the DOM Event that Mike West is proposing can be used by people
that might want to do more things. So while I would like to be able to
pinpoint users in reports to facilitate debugging, I can do it ad-hoc
rather than always, which is also good because it makes the log-collection
consequences of using report-uri a lot simpler.
On Thu, Mar 28, 2013 at 10:55 AM, Neil Matatall <neilm@twitter.com> wrote:
> This works for Twitter's use case. I'm curious to see what other
> people backing cross-host posting say (I hope we aren't the only
> ones!). We do not analyze the reports from the public with anything
> identifiable.
>
> On Thu, Mar 28, 2013 at 10:39 AM, Anne van Kesteren <annevk@annevk.nl>
> wrote:
> > On Thu, Mar 28, 2013 at 5:01 PM, Hill, Brad <bhill@paypal-inc.com>
> wrote:
> >> What about the following proposal to limit the CSRF-type risks of CSP
> reports:
> >>
> >> 1. Require the report POST to be anonymous, per CORS.
> >> 2. Change the content-type from "application/json" to
> "application/csp-report"
> >
> > I don't really see how that's not breaking the <form> invariant. It's
> > still allows a new type of data to be posted to an unsuspecting
> > intranet. Admittedly the risk does seem fairly low, but people have
> > got upset over less.
> >
> >
> > --
> > http://annevankesteren.nl/
> >
>
>