CSP 1.1: First pass at adding line numbers to reports.
authorMike West <mkwst@google.com>
Wed, 19 Dec 2012 01:33:33 +0100
changeset 180e0270baace3d
parent 179 6c0819591c8a
child 181 748bf7da3690
CSP 1.1: First pass at adding line numbers to reports.

Based on public-webappsec conversation[1], there seems to be rough agreement
that adding a source/line number to violation reports would be useful for
developers as they try to track down those reports' sources. Firefox already
sends this information in reports, and has done so for years.

This patch is a first pass for discussion, simply bringing in the keys and
values Firefox is already using. It makes the new fields optional, as not
every report will have this sort of context available, and user agents may
choose not to send this information in certain circumstances (extensions,
addons, etc).

[1]: http://lists.w3.org/Archives/public-webappsec/2012Dec/0025.html
csp-specification.dev.html
     1.1 --- a/csp-specification.dev.html	Tue Dec 18 15:38:35 2012 +0100
     1.2 +++ b/csp-specification.dev.html	Wed Dec 19 01:33:33 2012 +0100
     1.3 @@ -1761,7 +1761,8 @@
     1.4            following keys and values: [[!RFC4627]]
     1.5              <dl>
     1.6                <dt>csp-report</dt>
     1.7 -              <dd>A JSON object containing the following keys and values:
     1.8 +              <dd>
     1.9 +                <p>A JSON object containing the following keys and values:</p>
    1.10                  <dl>
    1.11                    <dt>document-uri</dt>
    1.12                    <dd>The <a href="http://www.w3.org/TR/html5/dom.html#the-document%27s-address">address</a>
    1.13 @@ -1787,6 +1788,21 @@
    1.14                    <dt>original-policy</dt>
    1.15                    <dd>The original policy as received by the user-agent.</dd>
    1.16                  </dl>
    1.17 +                <p>If the violation occurred as a result of script execution,
    1.18 +                and a specific line can be identified as the source, the
    1.19 +                following keys and values MAY be added:</p>
    1.20 +                <dl>
    1.21 +                  <dt>source-url</dt>
    1.22 +                  <dd>The <a href="http://www.w3.org/TR/html5/dom.html#the-document%27s-address">address</a>
    1.23 +                  of the resource where the violation occurred (an external
    1.24 +                  script file, for instance), with any
    1.25 +                  <a href="http://www.w3.org/TR/html5/urls.html#url-fragment">&lt;fragment&gt;</a>
    1.26 +                  component removed.</dd>
    1.27 +
    1.28 +                  <dt>line-number</dt>
    1.29 +                  <dd>The line number in <code>source-url</code> on which the
    1.30 +                  violation occurred.</dd>
    1.31 +                </dl>
    1.32                </dd>
    1.33              </dl>
    1.34            </li>