Folks using CSP violation reports: are you doing strict MIME-type checking? Would the suggestion in https://github.com/whatwg/fetch/pull/621 … that we add `+json` to the MIME type break you? (/cc @Scott_Helme)
-
-
Replying to @mikewest @Scott_Helme
Not checking either. Probably should. /cc
@arturjanc1 reply 0 retweets 0 likes -
In this case checking C-T likely doesn't add much value. Collection doesn't change user state and the endpoint has to expect arbitrary data & handle it appropriately anyway.
1 reply 0 retweets 0 likes -
It might work as a first-line denoiser, but it’s not a security layer. The security benefits accumulate to things that don’t intend to receive violation (or any other) reports.
1 reply 0 retweets 0 likes
I agree! Browsers can make this change and CSP collectors (specifically) can be more lax about C-T, and everything will be great.
7:41 AM - 16 Nov 2017
0 replies
0 retweets
1 like
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.