canmove, Confirmed users
1,537
edits
Security/CSP/Specification: Difference between revisions
Jump to navigation
Jump to search
→Violation Report Syntax
| Line 247: | Line 247: | ||
==Violation Report Syntax== | ==Violation Report Syntax== | ||
User Agents MUST notify any provided report-uri when its containing policy is violated. These reports contain information about the protected resource and the violating content, and MUST be transmitted to any specified <tt>report-uri</tt>s via HTTP POST if available in the employed scheme, otherwise User Agents MUST choose an appropriate "submit" method. | |||
User Agents MUST not honor redirection responses. | |||
Reports MUST be an XML document containing the following fields: | |||
; <tt>request</tt> : HTTP request line of the resource whose policy is violated (including method, resource, path, HTTP version) | ; <tt>request</tt> : HTTP request line of the resource whose policy is violated (including method, resource, path, HTTP version) | ||
| Line 256: | Line 257: | ||
; <tt>original-policy</tt> : The original policy as served in the X-Content-Security-Policy HTTP header (or if there were multiple headers, a comma separated list of the policies) | ; <tt>original-policy</tt> : The original policy as served in the X-Content-Security-Policy HTTP header (or if there were multiple headers, a comma separated list of the policies) | ||
NOTE: in the case where a protected resource is not rendered because the <tt>frame-ancestors</tt> directive was violated, <tt>blocked-uri</tt> | NOTE: in the case where a protected resource is not rendered because the <tt>frame-ancestors</tt> directive was violated, User Agents MUST not send <tt>blocked-uri</tt> (it is assumed to be the same as the request URI). | ||
Violation Report XML Schema: | Violation Report XML Schema: | ||