Re: [CSP] Additional report field: report-only: "true|false" from Devdatta Akhawe on 2014-06-26 (public-webappsec@w3.org from June 2014)

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Wed, 25 Jun 2014 21:14:30 -0500
To: Neil Matatall <neilm@twitter.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAPfop_0cou2_=BN9BtYBiarvxe30CJr=YP4-VcRzV0Rk7=SEYQ@mail.gmail.com>

I think the separate report URIs (via extra params or different end points)
is the easier option here.


On 25 June 2014 20:33, Neil Matatall <neilm@twitter.com> wrote:

> I'd like to propose adding a new field to the CSP reports: report-only.
>
> It's [arguably] valuable to know whether or not the policy was
> enforced when a given violation report is generated. Sometimes
> policies are enforced for a percentage or defined subset of users (or
> not at all), but there is no way to determine this from the report
> without "smuggling" params in the report-uri.
>
> As you can probably tell, I'm not entirely convinced this is even
> worth while (like my status code proposal).
>
>

Received on Thursday, 26 June 2014 02:15:17 UTC