On Wed, Nov 14, 2018 at 10:58 AM Tom Ritter <t...@mozilla.com> wrote:
> On Wed, Nov 14, 2018 at 3:17 PM Ehsan Akhgari <ehsan.akhg...@gmail.com> > wrote: > > What are your plans with regards to implementing the second part? Can > > these reports be sent cross-origin? (From the spec, it seems like the > > answer is yes.) If so, how are you planning to handle issues such as > > sending these reports to third-parties, including third-party trackers? > > I'm worried about: a) sending these reports to a third-party not on the > TP > > list, b) sending these reports to a third-party on the TP list, and c) > what > > options we have to mitigate the tracking impact of these reports for both > > of the previous cases, but especially for (b). > > Is this a different situation than CSP, which seems to have all these > same issues? Do we do anything special there? > The CSP report-uri mechanism is deprecated AFAIK ( https://w3c.github.io/webappsec-csp/#directive-report-uri) and is supposed to be replaced with this new API, so I think it is important to get the new API right from the privacy perspective even if we didn't get CSP reporting right (which we didn't -- AFAIK we happily send the CSP violation reports to wherever the site points us to.) -- Ehsan _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
