- From: Hill, Brad <bhill@paypal.com>
- Date: Thu, 21 Aug 2014 16:44:49 +0000
- To: Stefan Ossendorf <stefan.ossendorf@outlook.de>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Received on Thursday, 21 August 2014 16:45:19 UTC
Stefan, 1. Both relative paths or fully-qualified URLs with a scheme, host and port are allowed for report-uri. 2. In the future we expect that there may be alternate methods to announce violations other than report-uri, such as a DOM API. In the meantime, if you can't enforce that there's a valid listener at a uri, it doesn't gain much to enforce that a uri is present. -Brad From: Stefan Ossendorf [mailto:stefan.ossendorf@outlook.de] Sent: Thursday, August 21, 2014 9:36 AM To: public-webappsec@w3.org Subject: [CSP] feedback report-uri directive and report-only header Hello, I have two questions: 1. report-uri directive According to https://w3c.github.io/webappsec/specs/content-security-policy/#set-of-report-uris Quote: "The set of report URIs is the value of the report-uri directive, each resolved relative to the protected resource's URI." Does relative means really relative or just "resolve the uri"? 2. report-only-header Why is no report-uri directive enforced within a report-only-header? Thanks -Stefan
Received on Thursday, 21 August 2014 16:45:19 UTC