- From: Jean-Baptiste Aviat <jb@sqreen.io>
- Date: Thu, 16 Feb 2017 08:50:14 +0100
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: Daniel Veditz <dveditz@mozilla.com>, WebAppSec WG <public-webappsec@w3.org>
Le 16 févr. 2017 à 07:25, Anne van Kesteren <annevk@annevk.nl> a écrit : >> In CSP 3 report-uri is deprecated in favor of report-to. Report-to uses the >> reporting service spec which defines a content-type of application/report, >> and also that the request mode is "cors". Isn't that basically what you >> want? Can we leave the report-uri behavior alone as a historical artifact of >> 2011 spec making? > > That would end up requiring a CORS preflight. I doubt that's going to > be compatible enough? How does deployment of that even work, we'll > just break existing reporting services? I guess policies relying on CSP 3 will embed both report-to and report-uri. So if you upgrade your policy, you need to use a CSP 3 compliant service.
Received on Tuesday, 28 February 2017 22:25:06 UTC