Intent to Ship: Add `disposition` to SecurityPolicyViolationEvent

[Sergey Shekyan]

Contact emails

she...@gmail.com, mk...@google.com

Spec

https://w3c.github.io/webappsec-csp/#violation-disposition

Summary

This change adds `disposition` property to SecurityPolicyViolationEvent.

Content Security Policy specification introduces disposition of violation [1], that indicates the disposition of the violated policy.

Property value is a read-only string that corresponds to the policy disposition [2], and can be either "enforce" or "report".

[1] https://w3c.github.io/webappsec-csp/#violation-disposition

[2] https://w3c.github.io/webappsec-csp/#policy-disposition

Link to “Intent to Implement” blink-dev discussion

N/A

Is this feature supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?

Yes.

Debuggability

This change also introduces new property in Content Security Policy violation report, now sure if affects debuggability.

Interoperability and Compatibility Risk

No other browsers have implemented this yet.

[Jochen Eisinger]

lgtm1

[Mike West]

Non-owner's LGTM. This is a small change to the data we send back in a report, but it will help endpoints like `report-uri.io` and others to distinguish between header types cleanly. I expect other vendors to pick it up pretty quickly to reflect the spec.

-mike

[Philip Jägenstedt]

LGTM2

[Chris Harrelson]

LGTM3

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

[Joe Medley]

Is there a Chrome status entry and a tracking bug?

Joe Medley | Technical Writer, Chrome DevRel | jme...@google.com | 816-678-7195

If an API's not documented it doesn't exist.

[Sergey Shekyan]

There is no Chrome status entry for this change. 

Tracking bug is https://crbug.com/646021 

CL at https://codereview.chromium.org/2331213002/

Cheers,

Sergey