- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Thu, 16 Feb 2017 07:25:35 +0100
- To: Daniel Veditz <dveditz@mozilla.com>
- Cc: WebAppSec WG <public-webappsec@w3.org>
On Wed, Feb 15, 2017 at 9:09 PM, Daniel Veditz <dveditz@mozilla.com> wrote: > I was being somewhat snarky; I'm not actually proposing we change the > reporting content-type. CSP's report-uri uses a Content-Type of > application/csp-report. If a hypothetical JSON-consuming server is checking > Content-Type they should already be fine. If they aren't then a malicious > web site's ability to hit the server with text/plain JSON payloads would > pose similar risk. I wouldn't want to generically whitelist > application/csp-report if that means arbitrary xhr/fetch could also use > those. At least with a real CSP report there are restrictions on the > possible data that's sent that are unlikely to match some other service's > JSON format. Yes, I mentioned that problem with adding it to the safelist. And I agree that the problem is fairly limited, especially as the JSON attack doesn't hold up due to no usage of a +json MIME type scheme, but it's still unclear where we draw the line. The same-origin policy is a boundary and every now and then we cross it in a rather unprincipled manner. And furthermore, we reserve that right only for ourselves, web developers have to pay a higher price. > In CSP 3 report-uri is deprecated in favor of report-to. Report-to uses the > reporting service spec which defines a content-type of application/report, > and also that the request mode is "cors". Isn't that basically what you > want? Can we leave the report-uri behavior alone as a historical artifact of > 2011 spec making? That would end up requiring a CORS preflight. I doubt that's going to be compatible enough? How does deployment of that even work, we'll just break existing reporting services? -- https://annevankesteren.nl/
Received on Thursday, 16 February 2017 06:26:05 UTC