[Webkit-unassigned] [Bug 61360] Content Security Policy reports should be reported with content-type application/json, should contain all required fields
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu May 26 08:53:51 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=61360
Adam Barth <abarth at webkit.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |abarth at webkit.org
--- Comment #1 from Adam Barth <abarth at webkit.org> 2011-05-26 08:53:51 PST ---
Thanks for the report.
> Using MacOS nightly webkit build 87124, Content-Security-Policy violations are being reported with content-type application/x-www-form-urlencoded (and the payload is indeed form encoded). The spec (http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#report-uri) says:
This is intentional (at least for the moment). We've recommended to the working group that the report should be sent form-urlencoded.
> On a related note, the report does not contain the blocked-uri field:
This is also intentional. There are some subtle security issues with sending the blocked-uri, especially if cross-origin redirects are involved. There's a spec change in the works to address this issue, which we'll implement once all the details are in the spec.
Thanks!
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list