CSP 1.1: When reporting blocked 'data:' resources, send 'data:' as the URL.
authorMike West <mkwst@google.com>
Mon, 11 Feb 2013 15:04:12 +0100
changeset 183001dc8e8bcc3
parent 182 3affa0c38706
child 184 bc2bb0e5072a
CSP 1.1: When reporting blocked 'data:' resources, send 'data:' as the URL.

Based on Twitter's feedback from real-world error reports[1], it would be useful to
clarify the expected behavior for resources that don't map well to the general
'http:'/'https:' schemes we expect. If a 'data:...' resource is blocked, the
spec will now direct implementors to report 'data:'. Likewise, blob resources
would report 'blob:', JavaScript resources would report 'javascript:' and so on.

[1]: http://lists.w3.org/Archives/Public/public-webappsec/2013Feb/0011.html
csp-specification.dev.html
     1.1 --- a/csp-specification.dev.html	Tue Jan 29 22:45:56 2013 +0100
     1.2 +++ b/csp-specification.dev.html	Mon Feb 11 15:04:12 2013 +0100
     1.3 @@ -1847,6 +1847,11 @@
     1.4            the protected resource, then replace the blocked-uri with the ASCII
     1.5            serialization of the blocked-uri's origin.</li>
     1.6  
     1.7 +          <li>If the blocked-uri uses a URL scheme that does not have a
     1.8 +          server-based naming authority (for example, <code>data:</code> or
     1.9 +          <code>blob:</code>), then replace the blocked-uri with the ASCII
    1.10 +          serialization of the blocked-uri's scheme.</li>
    1.11 +
    1.12            <li>Let the <var>violation report</var> be the JSON stringification
    1.13            of the <var>violation-object</var>.</li>
    1.14