ISSUE-16: Restrict report URI to specific report pattern


Restrict report URI to specific report pattern

Navigation Error Logging
Raised by:
Philippe Le Hégaret
Opened on:
Nick: Does the specification reveal the URL that failed to load? three things; we talked about top-level navigation, you'd know the URL that failed to load?

Arvind: yes
Nick: Cases where origin does not match up - possible attack
Arvind: Our assumption is to follow the standard origin concept
Nick: I don't have an answer yet, just raising the problem
Nick: Actively "phone-home" when an error occurs?
Arvind: Yes. Real-time is possible via the reporting mechanism. Follows the model of the CSP/same mechanism.
Nick: If someone visits my webpage on the uni domain, use some javascript, I could have repots backs from anyone who visits a university webpage? I could watch someone browsing pages Is there a use case for a cofigurable URL? this could be mitigated if there were a single well-known reporting URL at the domain level, rather than configurable by JavaScript

Arvind: can restrict the report URI to the specific report pattern Are there other examples where this has been done?
Nick: is the RFC for well-known
Related Actions Items:
No related actions
Related emails:
  1. ISSUE-16 (report-url): Restrict report URI to specific report pattern (from on 2014-04-24)

Related notes:

No additional notes.

Display change log ATOM feed

Yoav Weiss <>, Ilya Grigorik <>, Chairs, Philippe Le Hégaret <>, Xiaoqian Wu <>, Staff Contacts
Tracker: documentation, (configuration for this group), originally developed by Dean Jackson, is developed and maintained by the Systems Team <>.
$Id: index.php,v 1.326 2018/10/13 17:29:51 vivien Exp $