This change removes the restriction that the report-uri needs to be related to
authorAdam Barth <w3c@adambarth.com>
Mon, 27 Feb 2012 16:53:57 -0800
changeset 87275074d083aa
parent 86 59966b0d94f5
child 88 2f03fc371f0f
This change removes the restriction that the report-uri needs to be related to
the document-uri. We discussed removing this restriction in April 2011, but
got somewhat distracted by other changes to the violation reports. Now that
we've removed request-headers from violation reports, it should be fine to send
the reports to any URI. I'll re-confirm on the mailing list.
csp-specification.dev.html
     1.1 --- a/csp-specification.dev.html	Mon Feb 27 16:33:57 2012 -0800
     1.2 +++ b/csp-specification.dev.html	Mon Feb 27 16:53:57 2012 -0800
     1.3 @@ -1103,30 +1103,6 @@
     1.4  
     1.5            <li>For each <var>report URI</var> in the <var>set of report URIs</var>:
     1.6              <ol>
     1.7 -              <li>If the <var>report URI</var> has a different scheme than the
     1.8 -              URI of the protected document, then ignore this <var>report
     1.9 -              URI</var> and continue to the next iteration of the loop.</li>
    1.10 -
    1.11 -              <li>If the <var>report URI</var> has a different port than the
    1.12 -              URI of the protected document, then ignore this <var>report
    1.13 -              URI</var> and continue to the next iteration of the loop.</li>
    1.14 -
    1.15 -              <li>If the <var>report URI</var>'s host does not share the same
    1.16 -              <em><a href="http://publicsuffix.org/">public suffix</a> +1 DNS
    1.17 -              label</em> as the URI of the protected document, then ignore
    1.18 -              this <var>report URI</var> and continue to the next iteration of
    1.19 -              the loop.
    1.20 -
    1.21 -              <p>Examples of public suffixes include <code>.com</code>,
    1.22 -              <code>.net</code> and <code>.co.uk</code>. Examples of
    1.23 -              <em>"public suffix +1 DNS label"</em> include
    1.24 -              <code>example.com</code>, <code>example.net</code> and
    1.25 -              <code>example.co.uk</code>. Therefore a protected document whose
    1.26 -              host is <code>www.example.com</code> could have a
    1.27 -              <code>report-uri</code> hosted on
    1.28 -              <code>reports.example.com</code> but <b>not</b>
    1.29 -              <code>reports.example.net</code>.</p></li>
    1.30 -
    1.31                <li>Fetch the <var>report URI</var> from origin of the protected
    1.32                document, with the synchronous flag <em>not</em> set, using HTTP
    1.33                method <code>POST</code>, with a <code>Content-Type</code>