[whatwg] Clickjacking and CSRF

Bil Corry bil at corry.biz
Wed Jul 22 10:20:25 PDT 2009

Aryeh Gregor wrote on 7/21/2009 5:34 PM: 
> If we could do reports only, then we would probably publish the data
> live in some form, yes.

If it's desirable to add a 'report only' feature to CSP, I'd prefer see a second CSP-related header (X-Content-Security-Policy-ReportOnly???) that implements it rather than adding it to the CSP header.  The presence of both headers (CSP and CSPReportOnly) would mean both would be acted upon.

There's already been some discussion that authors would iteratively relax CSP until their site worked.  I can see where an author enables ReportOnly, their site suddenly works and they mistakenly believe it's properly configured and actively protecting their site.

- Bil

More information about the whatwg mailing list