W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

[CSP] Additional report field: report-only: "true|false"

From: Neil Matatall <neilm@twitter.com>
Date: Wed, 25 Jun 2014 18:33:25 -0700
Message-ID: <CAOFLtbgZ+-RpJP=As=mR1c65e6+68sf7S1kvUsCQgt3Vr-fSkQ@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org> 
I'd like to propose adding a new field to the CSP reports: report-only.

It's [arguably] valuable to know whether or not the policy was
enforced when a given violation report is generated. Sometimes
policies are enforced for a percentage or defined subset of users (or
not at all), but there is no way to determine this from the report
without "smuggling" params in the report-uri.

As you can probably tell, I'm not entirely convinced this is even
worth while (like my status code proposal).
Received on Thursday, 26 June 2014 01:33:53 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC