Content Security Policy reports aren't very useful without a way to filter out reports from users with extensions. No point of looking through CSP errors from all this advertising, etc. injected into pages. There might be a valid report mixed in with the hundreds of others...
-
-
Replying to @CopperheadOS
They are useful when setting up or updating a policy, so you can notice changes in the patterns of reports. But agreed, lots of wasted grepping to see whether that weird script is being loaded correctly or by injection.
1 reply 0 retweets 0 likes -
Replying to @durumcrustulum
Ideally, we could ask browsers to avoid sending a report if an extension touched the page in any way. As is, we're not looking at the reports at all because of the noise and yet there might be an issue buried in there.
2 replies 0 retweets 1 like -
Replying to @CopperheadOS @durumcrustulum
This has long been the major problem with violation reports, but it's at least partly addressed by 'report-sample' in CSP3: https://w3c.github.io/webappsec-csp/#violation-sample …
1 reply 0 retweets 1 like
In our apps we only look at reports with a script-sample or a blocked-uri, assuming that any real violations would also occur in browsers which send the script sample. Ignore all other, non-actionable reports.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.