W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2014

Re: CSP reports on eval() and inline

From: Neil Matatall <neilm@twitter.com>
Date: Mon, 15 Sep 2014 21:56:29 -0700
Message-ID: <CAOFLtbhFwOtmxEmBsd9tKosfr_vjhju9qTfMsZOnbTqa7L9upg@mail.gmail.com>
To: Pete Freitag <pete@foundeo.com>
Cc: "Hill, Brad" <bhill@paypal.com>, Mike West <mkwst@google.com>, Pawel Krawczyk <pawel.krawczyk@hush.com>, "Daniel Veditz <dveditz@mozilla. com>" <dveditz@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
I just wanted to update this:

> For the sake of completeness in this area, do javascript: urls get reported as such or just an inline violation? (my tests for that don't have a report-uri and I won't be able to context-switch and fix that for a bit)

As of Firefox ~31+, "javascript:" is included in the script-sample for
links with an href =~ /javascript:/ that are clicked.

I have data for the various types of inline/blank blocked-uri
violations across a variety of UAs (using
csp-inline-fingerprint.herokuapp.com + browserstack screenshot feature
+ some crowdsourcing). The data set is surely incomplete, but I hope
it helps illustrate the value in providing more data in the report.

On Fri, Sep 5, 2014 at 7:28 AM, Pete Freitag <pete@foundeo.com> wrote:
> On Thu, Sep 4, 2014 at 2:11 PM, Hill, Brad <bhill@paypal.com> wrote:
>>
>> If one implementation is reporting something that users find sane and
>> useful, where other implementations aren't reporting anything, documenting
>> and converging on the existing useful behavior would be my strongest
>> preference.
>
>
> I find the "script-sample" that Firefox sends in CSP reports to be very
> useful.
>
> --
> Pete Freitag
> http://content-security-policy.com/ - CSP Quick Reference
>
Received on Tuesday, 16 September 2014 04:57:02 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC