Deprecate insecure violation reports. |
||||||
Issue descriptionCSP sends reports from HTTPS pages to HTTP endpoints. That seemed like a good idea at some point, but it obviously isn't one. Let's remove that misfeature.
,
Feb 24 2017
,
Mar 6 2017
,
Mar 8 2017
Am I correct in noting that these reports are currently blocked as Mixed Content? I see the shield and the notification in the DevTools console: Mixed Content: The page at 'https://docs.google.com/document/d/10REOGnhM/edit#' was loaded over HTTPS, but requested an insecure Content Security Policy reporting endpoint ''. This request has been blocked; the content must be served over HTTPS. Interestingly, in this particular repro the report URI is empty; not sure what's up with that.
,
Mar 8 2017
Oh, well, that'd be great if we're already blocking mixed reporting endpoints! :) Is this something easy to reproduce? We should write a test, but it turns out to be a little difficult to verify that a report _wasn't_ sent, given the fact that PingLoader explicitly decouples the reporting request from the page's lifetime. :/
,
Nov 10 2017
,
Feb 18 2018
,
Mar 3 2018
|
||||||
►
Sign in to add a comment |
||||||
Comment 1 Deleted