Open
Bug 1345886
Opened 7 years ago
Updated 2 years ago
CSP: Include a script sample of the offending script also for event-handlers
Categories
(Core :: DOM: Security, enhancement, P3)
Core
DOM: Security
Tracking
()
UNCONFIRMED
People
(Reporter: lwe, Unassigned, Mentored)
Details
(Whiteboard: [domsecurity-backlog1])
The script-sample currently provided in CSP reports of violations caused by event-handlers is too generic (e.g. "onclick attribute on DIV element"). It would be very valuable for developers, if the script-sample field would include the offending script also for event-handlers (like it does for inline scripts). Currently it is not possible to distinguish between event-handler script violations from extensions and the site itself. So we end up with a high number of violations were we just don't have the information we'd need to classify them as noise/real... E.g. <div onclick="foo('bar')"> could set script-sample in the CSP report to "foo('bar')" See also: https://github.com/w3c/webappsec-csp/issues/119
Comment 1•7 years ago
|
||
Thanks for reporting Lukas, and while I agree that that would be valuable that bug has to go to the backlog for now :-(
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•