W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2013

RE: Cookieless cross-origin violation reports.

From: Hill, Brad <bhill@paypal-inc.com>
Date: Mon, 6 May 2013 18:26:57 +0000
To: Anne van Kesteren <annevk@annevk.nl>, Mike West <mkwst@google.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E27A0D663@DEN-EXDDA-S12.corp.ebay.com>
The feeling in the room was that the constrained report format prevented most abuse cases.  

One further measure we discussed but did not take forward was changing the content-type from application/json to application/csp-report, to protect services that expected only the former.

Do you have thoughts or opinions on this, Anne?

Thanks,

Brad

> -----Original Message-----
> From: annevankesteren@gmail.com [mailto:annevankesteren@gmail.com]
> On Behalf Of Anne van Kesteren
> Sent: Monday, May 06, 2013 9:51 AM
> To: Mike West
> Cc: public-webappsec@w3.org
> Subject: Re: Cookieless cross-origin violation reports.
> 
> On Sun, May 5, 2013 at 2:42 AM, Mike West <mkwst@google.com> wrote:
> > Consistent with the conversation in April's F2F, I've changed the 1.1
> > spec to require that cross-origin violation reports are sent without cookies:
> > https://dvcs.w3.org/hg/content-security-policy/rev/788b0b653c39

> >
> > I believe we'd reached consensus on that point, but I might have
> > missed some nuance over the phone. I'm happy to revert if there are
> objections.
> 
> The intranet concern was not considered problematic?
> 
> 
> --
> http://annevankesteren.nl/


Received on Monday, 6 May 2013 18:27:28 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:01 UTC