- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Fri, 20 Jun 2014 16:49:02 -0700
- To: Chris Palmer <palmer@google.com>, Joel Weinberger <jww@chromium.org>
- CC: "Hill, Brad" <bhill@paypal.com>, Devdatta Akhawe <dev.akhawe@gmail.com>, Neil Matatall <neilm@twitter.com>, Glenn Adams <glenn@skynav.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 6/20/2014 4:23 PM, Chris Palmer wrote: > How complicated does this need to be? Not very. > > http://tools.ietf.org/html/draft-ietf-websec-key-pinning-15#section-2.5 > > """UAs SHOULD make a best effort not to inundate report-uris with > redundant reports.""" Especially if they know they are on an expensive > data plan vs. (potentially not expensive) wifi and if they know the > battery is low. That's easy enough to say for key pinning which only has one fact to communicate. For CSP which reports are duplicative? There could be dozens on a single page. Is an inline script found on line 12 of the HTML a duplicate of an inline script on line 112? What if the site has a common framework and the same error shows up page after page in a shared inclusion? Is that a duplicate that can be suppressed or a sign of the same attack affecting multiple pages? There's not much report suppressing the client can safely do without guidance from the site's authors. If this isn't bothering anyone else then never mind, I'll tell the Mozilla web devs to suck it up and deal with it. -Dan Veditz
Received on Friday, 20 June 2014 23:49:33 UTC