W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2017

Re: Reports feature violates the same-origin policy

From: Jean-Baptiste Aviat <jb@sqreen.io>
Date: Thu, 16 Feb 2017 08:50:14 +0100
Cc: Daniel Veditz <dveditz@mozilla.com>, WebAppSec WG <public-webappsec@w3.org>
Message-Id: <CED7E2D0-1F00-4CCC-8D20-681A035EF742@sqreen.io>
To: Anne van Kesteren <annevk@annevk.nl>
Le 16 févr. 2017 à 07:25, Anne van Kesteren <annevk@annevk.nl> a écrit :

>> In CSP 3 report-uri is deprecated in favor of report-to. Report-to uses the
>> reporting service spec which defines a content-type of application/report,
>> and also that the request mode is "cors". Isn't that basically what you
>> want? Can we leave the report-uri behavior alone as a historical artifact of
>> 2011 spec making?
> 
> That would end up requiring a CORS preflight. I doubt that's going to
> be compatible enough? How does deployment of that even work, we'll
> just break existing reporting services?

I guess policies relying on CSP 3 will embed both report-to and report-uri. So if you upgrade your policy, you need to use a CSP 3 compliant service.
Received on Tuesday, 28 February 2017 22:25:06 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:22 UTC