HPKP: Set Content-Type header field in reports #526

ScottHelme · 2017-01-30T18:43:17Z

The CSP spec has a nice requirement that CSP reports should have the content-type header set to application/csp-report. https://www.w3.org/TR/CSP2/#send-violation-reports

Could we introduce a similar requirement for HPKP reports to have a content-type header set to application/hpkp-report?

The text was updated successfully, but these errors were encountered:

mikewest · 2017-02-02T00:21:45Z

We could not, as HPKP is defined in the IETF. Also the websec group is closed. Soooo... @mnot, what's the process for asking for changes? File errata? :)

annevk · 2017-02-02T08:19:36Z

Oh great, these violation reports violate the same-origin policy. Whee.

mnot · 2017-02-02T23:13:38Z

Officially, errata aren't for technical changes/updates. You'd need a new RFC that updates or obsoletes the HPKP RFC.

Easiest way to do that would be to ask for the HTTP WG to take it on; we'd keep the source in our repo so that future updates would be easier.

All that said, in the meantime you can file errata that ask for technical changes -- they'll be listed as "Hold for Document Update", so at least they'll be somewhere.

mnot · 2017-02-02T23:14:28Z

And by "ask", I mean "provide an editor" :)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

HPKP: Set Content-Type header field in reports #526

HPKP: Set Content-Type header field in reports #526

ScottHelme commented Jan 30, 2017

mikewest commented Feb 2, 2017

annevk commented Feb 2, 2017

mnot commented Feb 2, 2017

mnot commented Feb 2, 2017

HPKP: Set Content-Type header field in reports #526

HPKP: Set Content-Type header field in reports #526

Comments

ScottHelme commented Jan 30, 2017

mikewest commented Feb 2, 2017

annevk commented Feb 2, 2017

mnot commented Feb 2, 2017

mnot commented Feb 2, 2017