On Jan 12, 2:23 pm, Bil Corry <[email protected]> wrote: > It already has this feature, see #6:
Ah, sorry for my blindness Bil. It has been a while since I read that, and simply spaced on that feature. Gerv: what are your thoughts on (mis)use of the Report-URI to determine which browsers support CSP? For example, given a policy "X- Content-Security-Policy: allow self", Report-URI "http://self.com/ report" and a tag served "<script src='http://forbidden.com/js'>", a report would be generated. Assuming the report URI and the page containing the violation are in the same domain, cookies could be used to connect the report to a specific client. It seems to me that unless client browsers *never* send CSP-related data to the server then the server can ultimately determine which clients are using CSP. -Sid _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
