Folks using CSP violation reports: are you doing strict MIME-type checking? Would the suggestion in https://github.com/whatwg/fetch/pull/621 … that we add `+json` to the MIME type break you? (/cc @Scott_Helme)
In this case checking C-T likely doesn't add much value. Collection doesn't change user state and the endpoint has to expect arbitrary data & handle it appropriately anyway.
-
-
It might work as a first-line denoiser, but it’s not a security layer. The security benefits accumulate to things that don’t intend to receive violation (or any other) reports.
-
I agree! Browsers can make this change and CSP collectors (specifically) can be more lax about C-T, and everything will be great.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.