I have until now agreed that a <meta> -Report-Only policy makes no sense because of the lack of a report-uri, but CSP2 also supports DOM events for violations so it might actually be useful to support a test-only mode if that's some site's primary reporting mechanism. We'd have to give sites a way to distinguish Report-Only events from real blocks; adding a field to the event is probably simplest. (Note that the DOM events sort of reopen the attack that led us to restrict the use of report-uri in <meta> policies, although to take advantage of it you would need script injection--already game-over wrt CSP--rather than simple HTML injection so there is still value in treating the two differently.) On Tue, Jan 20, 2015 at 2:45 AM, Mike West <mkwst@google.com> wrote: > This goes along with the `report-uri` restriction; it doesn't make sense > to allow a report-only policy if we're not allowing a reporting endpoint, > does it? > - Dan Veditz
Received on Sunday, 25 January 2015 22:02:27 UTC