I have until now agreed that a <meta> -Report-Only policy makes no sense
because of the lack of a report-uri, but CSP2 also supports DOM events for
violations so it might actually be useful to support a test-only mode if
that's some site's primary reporting mechanism. We'd have to give sites a
way to distinguish Report-Only events from real blocks; adding a field to
the event is probably simplest.
(Note that the DOM events sort of reopen the attack that led us to restrict
the use of report-uri in <meta> policies, although to take advantage of it
you would need script injection--already game-over wrt CSP--rather than
simple HTML injection so there is still value in treating the two
differently.)
On Tue, Jan 20, 2015 at 2:45 AM, Mike West <mkwst@google.com> wrote:
> This goes along with the `report-uri` restriction; it doesn't make sense
> to allow a report-only policy if we're not allowing a reporting endpoint,
> does it?
>
-
Dan Veditz