@@ -1012,12 +1012,22 @@ <h2 id="security">Security Considerations</h2>
10121012
10131013 < h3 id ="capability-urls "> Capability URLs</ h3 >
10141014
1015- Some URLs are valuable in and of themselves. To mitigate the possibility
1016- that such URLs will be leaked via this reporting mechanism, we strip out
1017- credential information and fragment data from the URL we store as a
1018- < a > report</ a > 's originator. It is still possible, however, for a feature
1019- to unintentionally leak such data via a report's [=report/body=]. Implementers
1020- SHOULD ensure that URLs contained in a report's body are similarly stripped.
1015+ Some URLs are valuable in and of themselves. They may contain explicit
1016+ credentials in the username and password portion of the URL, or may grant
1017+ access to some resource to anyone with knowledge of the URL path.
1018+ Additionally, they may contain information which was never intended leave the
1019+ user's browser in the URL fragment. See [[CAPABILITY-URLS]] for more
1020+ information.
1021+
1022+ To mitigate the possibility that such URLs will be leaked via this reporting
1023+ mechanism, the algorithms here strip out credential information and fragment
1024+ data from the URL sent as a < a > report</ a > 's originator. It is still possible,
1025+ however, for sensitive information in the URL's path to be leaked this way.
1026+ Sites which use such URLs may need to operate their own reporting endpoints.
1027+
1028+ Additionally, such URLs may be present in a report's [=report/body=].
1029+ Specifications which extend this API and which include any URLs in a report's
1030+ [=report/body=] SHOULD require that they be similarly stripped.
10211031</ section >
10221032
10231033< section >
0 commit comments