W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2014

Re: CSP formal objection.

From: Mike West <mkwst@google.com>
Date: Wed, 12 Feb 2014 10:54:27 +0100
Message-ID: <CAKXHy=cs-fpCnRV869VrLuoWnGOzUkhcR0ZhubiE7Mwo79UKTw@mail.gmail.com>
To: Daniel Veditz <dveditz@mozilla.com>
Cc: Fred Andrews <fredandw@live.com>, Web Application Security Working Group <public-webappsec@w3.org>
> The spec should not declare reporting as opt-in or opt-out. It should
> define a syntax for how sites can make their reporting URL known, and
> define the structure of those reports so sites can parse them. We can
> include non-normative notes on these tradeoffs and concerns, but it's up
> to each UA to decide if they want to default to sending reports or not,
> or whether they'd ask users each time (like the geolocation prompt, for
> example).

Everything else to the side, we do currently call out the 'referer' header
explicitly as something the user agent can restrict above and beyond what
the 'referrer' directive implies. Would it sufficiently address your
concerns to add a note along the lines of "Note: This specification should
not be interpreted as limiting user agents' ability to apply other
restrictions to limit data leakage via violation reports." to the
'report-uri' section of the spec?

Received on Wednesday, 12 February 2014 09:55:15 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:37 UTC