- From: Neil Matatall <neilm@twitter.com>
- Date: Mon, 15 Sep 2014 21:56:29 -0700
- To: Pete Freitag <pete@foundeo.com>
- Cc: "Hill, Brad" <bhill@paypal.com>, Mike West <mkwst@google.com>, Pawel Krawczyk <pawel.krawczyk@hush.com>, "Daniel Veditz <dveditz@mozilla. com>" <dveditz@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
I just wanted to update this: > For the sake of completeness in this area, do javascript: urls get reported as such or just an inline violation? (my tests for that don't have a report-uri and I won't be able to context-switch and fix that for a bit) As of Firefox ~31+, "javascript:" is included in the script-sample for links with an href =~ /javascript:/ that are clicked. I have data for the various types of inline/blank blocked-uri violations across a variety of UAs (using csp-inline-fingerprint.herokuapp.com + browserstack screenshot feature + some crowdsourcing). The data set is surely incomplete, but I hope it helps illustrate the value in providing more data in the report. On Fri, Sep 5, 2014 at 7:28 AM, Pete Freitag <pete@foundeo.com> wrote: > On Thu, Sep 4, 2014 at 2:11 PM, Hill, Brad <bhill@paypal.com> wrote: >> >> If one implementation is reporting something that users find sane and >> useful, where other implementations aren't reporting anything, documenting >> and converging on the existing useful behavior would be my strongest >> preference. > > > I find the "script-sample" that Firefox sends in CSP reports to be very > useful. > > -- > Pete Freitag > http://content-security-policy.com/ - CSP Quick Reference >
Received on Tuesday, 16 September 2014 04:57:02 UTC