W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2016

Re: CSP reports: `script-sample`

From: Daniel Veditz <dveditz@mozilla.com>
Date: Wed, 19 Oct 2016 12:33:28 -0700
To: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Cc: Artur Janc <aaj@google.com>, Christoph Kerschbaumer <ckerschbaumer@mozilla.com>, Frederik Braun <fbraun@mozilla.com>, Scott Helme <scotthelme@hotmail.com>
Message-ID: <aad18798-bee7-37ba-940f-06f6270ef616@mozilla.com>
On 10/17/16 7:15 AM, Mike West wrote:
> 2. It's not reasonable to provide developers with details of
> third-party script, unless that external script has opted into
> sharing details

Can you give any examples? I don't see our code doing that. If we are I
agree we shouldn't; we should be reporting on in-line scripts only.

> Perhaps Mozilla folks did some research when implementing this
> feature that justify/explain the 40 character limit as
> sufficiently-safe?

It was Brandon's initial best-guess that no one has suggested changing
https://bugzilla.mozilla.org/show_bug.cgi?id=600584#c5

-Dan Veditz
Received on Wednesday, 19 October 2016 19:33:59 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:21 UTC