On Fri, Feb 6, 2015 at 5:34 AM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote: > I just want to note that I don't believe CSP reporting in its current > state is a viable alternative for gathering the requisite telemetry. > On deploying CSP, the vast majority of reports you see are extension > noise and it takes a lot of work to really be able to clean up the > noise and figure out whats broken. All the engineers who have deployed > CSP have shared similar stories of the crazy amounts of noise. I have > serious doubts this is practical for helping with HTTPS deployment. > Reports are indeed noisy, but I don't think it's the case that it's impossible to extract value out of them. Jacob noted in https://lists.w3.org/Archives/Public/public-webappsec/2015Feb/0080.html that Twitter used them successfully to track mixed content. In any event, Chrome has gotten at least marginally less noisy at this over the last few months, due to Joel's effort. If you file more bugs, I'm sure he'll be happy to fix them. :P > Have we considered Service Worker for this? It seems easy to use > Service Workers to log HTTP requests or try upgrading to HTTPS. This > allows the origin to remain in control too. > I believe that ServiceWorker has even less chance of distinguishing an extension-driven request from a "real" request, given its distance from the point where the content is injected. Can you elaborate on the mechanism you'd like to see? -mike -- Mike West <mkwst@google.com>, @mikewest Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Friday, 6 February 2015 04:50:12 UTC