Contact emails
Spec
https://w3c.github.io/webappsec-csp/#deprecated-serialize-violationSummary
Firefox has shipped a `script-sample` property in CSP violation reports since their initial implementation, while other browsers have not done the same for various reasons outlined in the thread at https://lists.w3.org/Archives/Public/public-webappsec/2016Oct/0016.html. The `sample` property attempts to reach concensus on an opt-in variant Firefox's behavior. In short, we'll collect a 40-character sample for inline script and style violations, and include it in the violation report (and associated SecurityPolicyViolationEvent object) iff a 'report-sample' expression is present in the violated directive.Motivation
Artur (CC'd) lays out the Google security team's perspective on samples in violation reports at https://github.com/w3c/webappsec-csp/issues/119#issue-179078142: without a sample, detecting and eliminating inline script violations is practically impossible. This is a request I've heard echoed from basically everyone else who collects violation reports at scale.
Interoperability and Compatibility Risk
The main risk here is that the proposal doesn't exactly match what Firefox has shipped. The key distinctions are:
1. This approach requires opt-in from the site, via a new `'report-sample'` expression in the relevant directive.
2. We're including inline style violations as well, and have renamed the property to the more generic `sample` accordingly.
I expect that we'll be able to work out these risks as part of the specification process, and will align our implementations to whatever we agree upon.
Edge: No signals.
Firefox: Shipped.
Safari: No signals.
Web developers: Positive.
Ongoing technical constraints
None.
Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
Yes.
OWP launch tracking bug
https://crbug.com/606774Link to entry on the feature dashboard
https://www.chromestatus.com/feature/5792234276388864
Requesting approval to ship?
No.
-mike