- From: Adam Barth <w3c@adambarth.com>
- Date: Thu, 2 Feb 2012 14:51:12 -0800
- To: "Hill, Brad" <bhill@paypal-inc.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Feb 2, 2012 at 2:26 PM, Hill, Brad <bhill@paypal-inc.com> wrote: >> The |request| field in the violation report is defined as the "HTTP request >> line of the protected resource whose policy was violated including method, >> URI and HTTP version". �However, this seems like an odd layering violation. >> For example, why does the server care about the HTTP version? �It seems like >> a more useful field would just be the URI of the protected document. >> >> B) Should we remove the |request| field in place of a |document-uri| field >> containing the document's URI? �(Recommendation: Yes) > > [Hill, Brad] > > 1) I think we need clear language about URI fragments in this case. �They are not part of the HTTP request, but they are part of the URI as seen by the User-Agent. > > I think the current state of discussion is that the fragment may be desirable as part of violation reports (as it is a frequent carrier for DOMXSS payloads) but should be an OPTIONAL report feature. (and therefore version 1.1) �For version 1.0, the existence of architectures such as web-keys (http://waterken.sourceforge.net/web-key/) that depend on the existing semantics of fragments and their (non-)transmission on the network, we probably should exclude them. Yeah, that's a good point. We should probably strip out the fragment from all the URIs in the reports (e.g., including the blocked-uri). Adam
Received on Thursday, 2 February 2012 22:52:10 UTC