W3C home > Mailing lists > Public > whatwg@whatwg.org > July 2009

[whatwg] Clickjacking and CSRF

From: Bil Corry <bil@corry.biz>
Date: Wed, 22 Jul 2009 12:20:25 -0500
Message-ID: <4A674A59.7080605@corry.biz>
Aryeh Gregor wrote on 7/21/2009 5:34 PM: 
> If we could do reports only, then we would probably publish the data
> live in some form, yes.

If it's desirable to add a 'report only' feature to CSP, I'd prefer see a second CSP-related header (X-Content-Security-Policy-ReportOnly???) that implements it rather than adding it to the CSP header.  The presence of both headers (CSP and CSPReportOnly) would mean both would be acted upon.

There's already been some discussion that authors would iteratively relax CSP until their site worked.  I can see where an author enables ReportOnly, their site suddenly works and they mistakenly believe it's properly configured and actively protecting their site.

- Bil
Received on Wednesday, 22 July 2009 10:20:25 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:14 UTC