- From: Neil Matatall <neilm@twitter.com>
- Date: Wed, 25 Jun 2014 18:33:25 -0700
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
I'd like to propose adding a new field to the CSP reports: report-only. It's [arguably] valuable to know whether or not the policy was enforced when a given violation report is generated. Sometimes policies are enforced for a percentage or defined subset of users (or not at all), but there is no way to determine this from the report without "smuggling" params in the report-uri. As you can probably tell, I'm not entirely convinced this is even worth while (like my status code proposal).
Received on Thursday, 26 June 2014 01:33:53 UTC