RE: [CSP] feedback report-uri directive and report-only header


1. Both relative paths or fully-qualified URLs with a scheme, host and port are allowed for report-uri.
2. In the future we expect that there may be alternate methods to announce violations other than report-uri, such as a DOM API.  In the meantime, if you can't enforce that there's a valid listener at a uri, it doesn't gain much to enforce that a uri is present.


From: Stefan Ossendorf []
Sent: Thursday, August 21, 2014 9:36 AM
Subject: [CSP] feedback report-uri directive and report-only header


I have two questions:

1. report-uri directive
According to
Quote: "The set of report URIs is the value of the report-uri directive, each resolved relative to the protected resource's URI."
Does relative means really relative or just "resolve the uri"?

2. report-only-header
Why is no report-uri directive enforced within a report-only-header?


Received on Thursday, 21 August 2014 16:45:19 UTC