ISSUE-16: Restrict report URI to specific report pattern
report-url
Restrict report URI to specific report pattern
- State:
- CLOSED
- Product:
- Navigation Error Logging
- Raised by:
- Philippe Le Hégaret
- Opened on:
- 2014-04-24
- Description:
- Nick: Does the specification reveal the URL that failed to load? three things; we talked about top-level navigation, you'd know the URL that failed to load?
Arvind: yes
Nick: Cases where origin does not match up - possible attack
Arvind: Our assumption is to follow the standard origin concept
Nick: I don't have an answer yet, just raising the problem
Nick: Actively "phone-home" when an error occurs?
Arvind: Yes. Real-time is possible via the reporting mechanism. Follows the model of the CSP/same mechanism.
Nick: If someone visits my webpage on the uni domain, use some javascript, I could have repots backs from anyone who visits a university webpage? I could watch someone browsing pages Is there a use case for a cofigurable URL? this could be mitigated if there were a single well-known reporting URL at the domain level, rather than configurable by JavaScript
Arvind: can restrict the report URI to the specific report pattern Are there other examples where this has been done?
Nick: https://tools.ietf.org/html/rfc5785 is the RFC for well-known
- Related Actions Items:
- No related actions
- Related emails:
- ISSUE-16 (report-url): Restrict report URI to specific report pattern (from sysbot+tracker@w3.org on 2014-04-24)
Related notes:
No additional notes.
Display change log