- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Wed, 21 May 2014 08:02:47 -0700
- To: Sigbjørn Vik <sigbjorn@opera.com>, Mike West <mkwst@google.com>
- CC: Joel Weinberger <jww@chromium.org>, "Oda, Terri" <terri.oda@intel.com>, Michal Zalewski <lcamtuf@coredump.cx>, Egor Homakov <homakov@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Eduardo' Vela <evn@google.com>
On 5/20/2014 7:18 AM, Sigbjørn Vik wrote: > However, I do not think I will be able to convince you to support the > alternative proposal of dropping error reporting instead, even if that > from a security point of view is better. I'm not convinced error reporting is the problem, though--the fact that it's blocked is. Can't you detect whether something got blocked through onload/onerror entirely within the attack page? That said, I'd almost be happy to consider dropping reporting because I think the flood of false-positive reports people get when they use it prevents people from deploying CSP. -Dan Veditz
Received on Wednesday, 21 May 2014 15:03:15 UTC