RE: [CSP] feedback report-uri directive and report-only header from Hill, Brad on 2014-08-21 (public-webappsec@w3.org from August 2014)

From: Hill, Brad <bhill@paypal.com>
Date: Thu, 21 Aug 2014 16:44:49 +0000
To: Stefan Ossendorf <stefan.ossendorf@outlook.de>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E5EADCF51@DEN-EXDDA-S12.corp.ebay.com>

Stefan,

1. Both relative paths or fully-qualified URLs with a scheme, host and port are allowed for report-uri.
2. In the future we expect that there may be alternate methods to announce violations other than report-uri, such as a DOM API.  In the meantime, if you can't enforce that there's a valid listener at a uri, it doesn't gain much to enforce that a uri is present.

-Brad

From: Stefan Ossendorf [mailto:stefan.ossendorf@outlook.de]
Sent: Thursday, August 21, 2014 9:36 AM
To: public-webappsec@w3.org
Subject: [CSP] feedback report-uri directive and report-only header

Hello,

I have two questions:

1. report-uri directive
According to https://w3c.github.io/webappsec/specs/content-security-policy/#set-of-report-uris
Quote: "The set of report URIs is the value of the report-uri directive, each resolved relative to the protected resource's URI."
Does relative means really relative or just "resolve the uri"?

2. report-only-header
Why is no report-uri directive enforced within a report-only-header?

Thanks
-Stefan

Received on Thursday, 21 August 2014 16:45:19 UTC