Re: Reports feature violates the same-origin policy

Le 16 févr. 2017 à 07:25, Anne van Kesteren <annevk@annevk.nl> a écrit :

>> In CSP 3 report-uri is deprecated in favor of report-to. Report-to uses the
>> reporting service spec which defines a content-type of application/report,
>> and also that the request mode is "cors". Isn't that basically what you
>> want? Can we leave the report-uri behavior alone as a historical artifact of
>> 2011 spec making?
> 
> That would end up requiring a CORS preflight. I doubt that's going to
> be compatible enough? How does deployment of that even work, we'll
> just break existing reporting services?

I guess policies relying on CSP 3 will embed both report-to and report-uri. So if you upgrade your policy, you need to use a CSP 3 compliant service.

Received on Tuesday, 28 February 2017 22:25:06 UTC