W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2014

Re: Remove paths from CSP?

From: Daniel Veditz <dveditz@mozilla.com>
Date: Wed, 21 May 2014 08:02:47 -0700
Message-ID: <537CC017.9090603@mozilla.com>
To: Sigbjørn Vik <sigbjorn@opera.com>, Mike West <mkwst@google.com>
CC: Joel Weinberger <jww@chromium.org>, "Oda, Terri" <terri.oda@intel.com>, Michal Zalewski <lcamtuf@coredump.cx>, Egor Homakov <homakov@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Eduardo' Vela <evn@google.com>
On 5/20/2014 7:18 AM, Sigbjørn Vik wrote:
> However, I do not think I will be able to convince you to support the
> alternative proposal of dropping error reporting instead, even if that
> from a security point of view is better.

I'm not convinced error reporting is the problem, though--the fact that 
it's blocked is. Can't you detect whether something got blocked through 
onload/onerror entirely within the attack page?

That said, I'd almost be happy to consider dropping reporting because I 
think the flood of false-positive reports people get when they use it 
prevents people from deploying CSP.

-Dan Veditz
Received on Wednesday, 21 May 2014 15:03:15 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC