W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Re: [CSP] Additional report field: report-only: "true|false"

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Wed, 25 Jun 2014 21:14:30 -0500
Message-ID: <CAPfop_0cou2_=BN9BtYBiarvxe30CJr=YP4-VcRzV0Rk7=SEYQ@mail.gmail.com>
To: Neil Matatall <neilm@twitter.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
I think the separate report URIs (via extra params or different end points)
is the easier option here.


On 25 June 2014 20:33, Neil Matatall <neilm@twitter.com> wrote:

> I'd like to propose adding a new field to the CSP reports: report-only.
>
> It's [arguably] valuable to know whether or not the policy was
> enforced when a given violation report is generated. Sometimes
> policies are enforced for a percentage or defined subset of users (or
> not at all), but there is no way to determine this from the report
> without "smuggling" params in the report-uri.
>
> As you can probably tell, I'm not entirely convinced this is even
> worth while (like my status code proposal).
>
>
Received on Thursday, 26 June 2014 02:15:17 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC