- From: Hill, Brad <bhill@paypal-inc.com>
- Date: Mon, 6 May 2013 18:26:57 +0000
- To: Anne van Kesteren <annevk@annevk.nl>, Mike West <mkwst@google.com>
- CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
The feeling in the room was that the constrained report format prevented most abuse cases. One further measure we discussed but did not take forward was changing the content-type from application/json to application/csp-report, to protect services that expected only the former. Do you have thoughts or opinions on this, Anne? Thanks, Brad > -----Original Message----- > From: annevankesteren@gmail.com [mailto:annevankesteren@gmail.com] > On Behalf Of Anne van Kesteren > Sent: Monday, May 06, 2013 9:51 AM > To: Mike West > Cc: public-webappsec@w3.org > Subject: Re: Cookieless cross-origin violation reports. > > On Sun, May 5, 2013 at 2:42 AM, Mike West <mkwst@google.com> wrote: > > Consistent with the conversation in April's F2F, I've changed the 1.1 > > spec to require that cross-origin violation reports are sent without cookies: > > https://dvcs.w3.org/hg/content-security-policy/rev/788b0b653c39 > > > > I believe we'd reached consensus on that point, but I might have > > missed some nuance over the phone. I'm happy to revert if there are > objections. > > The intranet concern was not considered problematic? > > > -- > http://annevankesteren.nl/
Received on Monday, 6 May 2013 18:27:28 UTC