Open Bug 1024562 Opened 10 years ago Updated 2 years ago

implement local-only violation reporting for CSP violations

Categories

(Core :: DOM: Security, enhancement, P3)

enhancement

Tracking

()

People

(Reporter: geekboy, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog2])

Some violation reports in CSP shouldn't go out to servers; in particular, frame-ancestors violations in report-only policies (that are ignored) should still be reported to the console but not transmitted to servers (as per the spec).

For example, asyncReportViolation could have another argument, something like "isSensitive" or "isTainted", and the report won't be sent to the network (or a future imaginary csp-violation JS event).
Priority: -- → P2
Whiteboard: [domsecurity-backlog]
Blocks: csp-w3c-3
No longer depends on: CSP
Priority: P2 → P3
Whiteboard: [domsecurity-backlog] → [domsecurity-backlog2]
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.