CSP Violation Reports for redirects should include full original URI and origins in the redirect URIs

[devd]

No description provided.

[mikewest]

Sorry, I missed this too. (You'll be seeing that a lot, I think, since TPAC is a nice forcing-function to make me realize that I've done a bad job staying on top of things here...)

The reporting changes were meant to make it less likely that we leak information that the page doesn't itself have access to. We can prevent explicitly leaking the origin of a redirect target, so why shouldn't we?

[devd]

not sure what you mean: I was saying if <iframe src="allowdsite.com/foobar"> redirects to notallowed.com/bar, then I should at least know that the violation was caused by allowedsite.com/foobar?

[mikewest]

Yeah, if <iframe src="allowdsite.com/foobar"> redirects to disallowed.com, then you should get a report that says child-src was violated by a request to allowedsite.com/foobar. I think that's what the spec says today.

[andypaicu]

I believe the spec now covers this indeed.