W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Re: Reducing reporting noise

From: Daniel Veditz <dveditz@mozilla.com>
Date: Fri, 20 Jun 2014 16:49:02 -0700
Message-ID: <53A4C86E.6060208@mozilla.com>
To: Chris Palmer <palmer@google.com>, Joel Weinberger <jww@chromium.org>
CC: "Hill, Brad" <bhill@paypal.com>, Devdatta Akhawe <dev.akhawe@gmail.com>, Neil Matatall <neilm@twitter.com>, Glenn Adams <glenn@skynav.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 6/20/2014 4:23 PM, Chris Palmer wrote:
> How complicated does this need to be? Not very.
> 
> http://tools.ietf.org/html/draft-ietf-websec-key-pinning-15#section-2.5
> 
> """UAs SHOULD make a best effort not to inundate report-uris with
> redundant reports.""" Especially if they know they are on an expensive
> data plan vs. (potentially not expensive) wifi and if they know the
> battery is low.

That's easy enough to say for key pinning which only has one fact to
communicate. For CSP which reports are duplicative? There could be
dozens on a single page. Is an inline script found on line 12 of the
HTML a duplicate of an inline script on line 112? What if the site has a
common framework and the same error shows up page after page in a shared
inclusion? Is that a duplicate that can be suppressed or a sign of the
same attack affecting multiple pages?

There's not much report suppressing the client can safely do without
guidance from the site's authors.

If this isn't bothering anyone else then never mind, I'll tell the
Mozilla web devs to suck it up and deal with it.

-Dan Veditz
Received on Friday, 20 June 2014 23:49:33 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC