W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: [CSP] violation reports for sandbox

From: Daniel Veditz <dveditz@mozilla.com>
Date: Sun, 25 Jan 2015 14:02:00 -0800
Message-ID: <CADYDTCCsQPrRAgpofBut5Nwzqm6ns29K5BZNcj+PdJuGf=pMXg@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Brian Smith <brian@briansmith.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
I have until now agreed that a <meta> -Report-Only policy makes no sense
because of the lack of a report-uri, but CSP2 also supports DOM events for
violations so it might actually be useful to support a test-only mode if
that's some site's primary reporting mechanism. We'd have to give sites a
way to distinguish Report-Only events from real blocks; adding a field to
the event is probably simplest.

(Note that the DOM events sort of reopen the attack that led us to restrict
the use of report-uri in <meta> policies, although to take advantage of it
you would need script injection--already game-over wrt CSP--rather than
simple HTML injection so there is still value in treating the two
differently.)

On Tue, Jan 20, 2015 at 2:45 AM, Mike West <mkwst@google.com> wrote:

> This goes along with the `report-uri` restriction; it doesn't make sense
> to allow a report-only policy if we're not allowing a reporting endpoint,
> does it?
>

-
​Dan Veditz​
Received on Sunday, 25 January 2015 22:02:27 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC