Sid Stamm wrote: > Gerv: what are your thoughts on (mis)use of the Report-URI to > determine which browsers support CSP? For example, given a policy "X- > Content-Security-Policy: allow self", Report-URI "http://self.com/ > report" and a tag served "<script src='http://forbidden.com/js'>", a > report would be generated. Assuming the report URI and the page > containing the violation are in the same domain, cookies could be used > to connect the report to a specific client. It seems to me that > unless client browsers *never* send CSP-related data to the server > then the server can ultimately determine which clients are using CSP.
I have no objection in principle to servers knowing that clients have CSP capability. What I object to is bulking up every HTTP request with that information, or making the protocol or system more complicated in order to allow people to do things they shouldn't be doing (like relying on it as a first line of defence). Gerv _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security