ISSUE-16 (report-url): Restrict report URI to specific report pattern from Web Performance Working Group Issue Tracker on 2014-04-24 (public-web-perf@w3.org from April 2014)

From: Web Performance Working Group Issue Tracker <sysbot+tracker@w3.org>
Date: Thu, 24 Apr 2014 16:35:50 +0000
To: public-web-perf@w3.org
Message-Id: <E1WdMco-0007TS-QI@stuart.w3.org>

ISSUE-16 (report-url): Restrict report URI to specific report pattern

http://www.w3.org/2010/webperf/track/issues/16

Raised by: Philippe Le Hégaret
On product: 

Nick: Does the specification reveal the URL that failed to load? three things; we talked about top-level navigation, you'd know the URL that failed to load?

Arvind: yes
Nick: Cases where origin does not match up - possible attack
Arvind: Our assumption is to follow the standard origin concept
Nick: I don't have an answer yet, just raising the problem
Nick: Actively "phone-home" when an error occurs?
Arvind: Yes. Real-time is possible via the reporting mechanism. Follows the model of the CSP/same mechanism.
Nick: If someone visits my webpage on the uni domain, use some javascript, I could have repots backs from anyone who visits a university webpage? I could watch someone browsing pages Is there a use case for a cofigurable URL? this could be mitigated if there were a single well-known reporting URL at the domain level, rather than configurable by JavaScript

Arvind: can restrict the report URI to the specific report pattern Are there other examples where this has been done?
Nick: https://tools.ietf.org/html/rfc5785 is the RFC for well-known

Received on Thursday, 24 April 2014 16:35:51 UTC