W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2017

Re: Reports feature violates the same-origin policy

From: Daniel Veditz <dveditz@mozilla.com>
Date: Wed, 15 Feb 2017 12:09:24 -0800
Message-ID: <CADYDTCDOykMj_4J2Y6TgpSZHaEs5D-4gknF8wue2m77tn=mxVw@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: WebAppSec WG <public-webappsec@w3.org>
I was being somewhat snarky; I'm not actually proposing we change the
reporting content-type. CSP's report-uri uses a Content-Type of
application/csp-report. If a hypothetical JSON-consuming server is checking
Content-Type they should already be fine. If they aren't then a malicious
web site's ability to hit the server with text/plain JSON payloads would
pose similar risk. I wouldn't want to generically whitelist
application/csp-report if that means arbitrary xhr/fetch could also use
those. At least with a real CSP report there are restrictions on the
possible data that's sent that are unlikely to match some other service's
JSON format.

In CSP 3 report-uri is deprecated in favor of report-to. Report-to uses the
reporting service spec which defines a content-type of application/report,
and also that the request mode is "cors". Isn't that basically what you
want? Can we leave the report-uri behavior alone as a historical artifact
of 2011 spec making?

​Dan Veditz​
Received on Wednesday, 15 February 2017 20:10:17 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:22 UTC