ISSUE-16: Restrict report URI to specific report pattern

report-url

Restrict report URI to specific report pattern

State:
CLOSED
Product:
Navigation Error Logging
Raised by:
Philippe Le Hégaret
Opened on:
2014-04-24
Description:
Nick: Does the specification reveal the URL that failed to load? three things; we talked about top-level navigation, you'd know the URL that failed to load?

Arvind: yes
Nick: Cases where origin does not match up - possible attack
Arvind: Our assumption is to follow the standard origin concept
Nick: I don't have an answer yet, just raising the problem
Nick: Actively "phone-home" when an error occurs?
Arvind: Yes. Real-time is possible via the reporting mechanism. Follows the model of the CSP/same mechanism.
Nick: If someone visits my webpage on the uni domain, use some javascript, I could have repots backs from anyone who visits a university webpage? I could watch someone browsing pages Is there a use case for a cofigurable URL? this could be mitigated if there were a single well-known reporting URL at the domain level, rather than configurable by JavaScript

Arvind: can restrict the report URI to the specific report pattern Are there other examples where this has been done?
Nick: https://tools.ietf.org/html/rfc5785 is the RFC for well-known
Related Actions Items:
No related actions
Related emails:
  1. ISSUE-16 (report-url): Restrict report URI to specific report pattern (from sysbot+tracker@w3.org on 2014-04-24)

Related notes:

No additional notes.

Display change log ATOM feed


Yoav Weiss <yoavweiss@google.com>, Ilya Grigorik <igrigorik@google.com>, Chairs, Philippe Le Hégaret <plh@w3.org>, Xiaoqian Wu <xiaoqian@w3.org>, Staff Contacts
Tracker: documentation, (configuration for this group), originally developed by Dean Jackson, is developed and maintained by the Systems Team <w3t-sys@w3.org>.
$Id: index.php,v 1.326 2018/10/13 17:29:51 vivien Exp $