Re: Remove paths from CSP?

On 5/20/2014 7:18 AM, Sigbjørn Vik wrote:
> However, I do not think I will be able to convince you to support the
> alternative proposal of dropping error reporting instead, even if that
> from a security point of view is better.

I'm not convinced error reporting is the problem, though--the fact that 
it's blocked is. Can't you detect whether something got blocked through 
onload/onerror entirely within the attack page?

That said, I'd almost be happy to consider dropping reporting because I 
think the flood of false-positive reports people get when they use it 
prevents people from deploying CSP.

-Dan Veditz

Received on Wednesday, 21 May 2014 15:03:15 UTC