Violating CSP / Network Reporting API privacy considerations.
Reported by
witold.b...@gmail.com,
Jun 25 2018
|
|||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 Steps to reproduce the problem: http://wicg.github.io/reporting/#disable Read section 11.6, Disabling Reporting, based on "Draft Community Group Report, 8 June 2018" of "Reporting API" of Web Platform Incubator Community Group. What is the expected behavior? Chrome respects a user settings, that are exposed in settings UI, to add ability to disable reporting. PS. I think Reporting API is really pretty well designed, and a good thing, but please follow your own words. What went wrong? Violation of a draft standard. http://wicg.github.io/reporting/#disable "User agents MUST allow users to disable reporting with some reasonable amount of granularity in order to maintain the priority of constituencies espoused in [HTML-DESIGN-PRINCIPLES]." See also: https://tools.ietf.org/html/rfc7469 https://w3c.github.io/webappsec-csp/#cspro-header https://w3c.github.io/webappsec-csp/#report-to Did this work before? No Chrome version: 67.0.3396.87 Channel: stable OS Version: 6.3 Flash Version:
,
Jun 25 2018
,
Jun 25 2018
You can disable all Reporting API uploads for a particular origin (including CSP) via the Background Sync permission. (Also note that the Reporting implementation has not yet shipped in Chrome stable, so no one is able to use the Report-To header yet.)
,
Jun 25 2018
,
Jul 2
Adding Needs-Feedback label as per comment#3 and requesting reporter to check as per that comment. Any further inputs from your end may be helpful. Thanks!
,
Nov 23
**UI mass Triage** We were unable to find repro steps for this bug as per C#5 & no update for long from reporter . If you have more data to reproduce this bug or have clear repro steps, please reopen or file a new issue. Thanks! |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by witold.b...@gmail.com
, Jun 25 2018