RE: [CSP] feedback report-uri directive and report-only header

Stefan,

1. Both relative paths or fully-qualified URLs with a scheme, host and port are allowed for report-uri.
2. In the future we expect that there may be alternate methods to announce violations other than report-uri, such as a DOM API.  In the meantime, if you can't enforce that there's a valid listener at a uri, it doesn't gain much to enforce that a uri is present.

-Brad

From: Stefan Ossendorf [mailto:stefan.ossendorf@outlook.de]
Sent: Thursday, August 21, 2014 9:36 AM
To: public-webappsec@w3.org
Subject: [CSP] feedback report-uri directive and report-only header

Hello,

I have two questions:

1. report-uri directive
According to https://w3c.github.io/webappsec/specs/content-security-policy/#set-of-report-uris
Quote: "The set of report URIs is the value of the report-uri directive, each resolved relative to the protected resource's URI."
Does relative means really relative or just "resolve the uri"?

2. report-only-header
Why is no report-uri directive enforced within a report-only-header?

Thanks
-Stefan

Received on Thursday, 21 August 2014 16:45:19 UTC