> > > Sorry for my laziness not having scanned through the links below to find > the answer to this question, but how does this interact with the > same-origin policy, if at all? And if it does, is enabling it in sandbox > iframes without the allow-same-origin token the right thing to do? >
It's possible to have cross-origin endpoints. And yes, we should not send report in such sandboxed iframes. I'll file a spec issue if there is not one yet. I assume it is possible for foo.example to use this API to send a report to > thirdparty.example (let's imagine thirdparty.example isn't on the > Disconnect tracking proptection list.) What data is leaked to > thirdparty.example as part of those reports? Do we send > credentials/referrer? > A report contains the origin and the credentials, plus the body of course. This doesn't seem different than a <img src="thirdparty.example?the_body_here" />. In general, I agree with your concern, and I would like more people to take a close look at how Reporting API can be abused. As I said, ReportingObserver seems fine. Report-to needs a better integration with url-classifier and content blocking before being shipped. _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
