From 6b9fdc97d9a8acfe00b62f5000d83f55ee13b5e6 Mon Sep 17 00:00:00 2001
From: Mike West <mkwst@google.com>
Date: Thu, 23 Mar 2017 14:53:05 +0100
Subject: [PATCH] Note that violation reports are attacker controlled.

---
 index.html     | 7 +++++++
 index.src.html | 7 +++++++
 2 files changed, 14 insertions(+)

diff --git a/index.html b/index.html
index 15225330ca..7d67e8f078 100644
--- a/index.html
+++ b/index.html
@@ -4820,6 +4820,11 @@ <h3 class="heading settled" data-level="7.4" id="security-violation-reports"><sp
   sensitive information contained in the redirected URL, such as session
   identifiers or purported identities. For this reason, the user agent includes
   only the URL of the original request, not the redirect target.</p>
+    <p>Note also that violation reports should be considered attacker-controlled data. Developers who
+  wish to collect violation reports in a dashboard or similar service should be careful to properly
+  escape their content before rendering it (and should probably themselves use CSP to further
+  mitigate the risk of injection). This is especially true for the "<code>script-sample</code>" property of
+  violation reports, and the <code class="idl"><a data-link-type="idl" href="#dom-securitypolicyviolationevent-sample" id="ref-for-dom-securitypolicyviolationevent-sample-3">sample</a></code> property of <code class="idl"><a data-link-type="idl" href="#securitypolicyviolationevent" id="ref-for-securitypolicyviolationevent-4">SecurityPolicyViolationEvent</a></code>, which are both completely attacker-controlled strings.</p>
    </section>
    <section>
     <h2 class="heading settled" data-level="8" id="authoring-considerations"><span class="secno">8. </span><span class="content">Authoring Considerations</span><a class="self-link" href="#authoring-considerations"></a></h2>
@@ -6779,6 +6784,7 @@ <h2 class="no-num no-ref heading settled" id="issues-index"><span class="content
     Obtain the deprecated serialization of violation </a>
     <li><a href="#ref-for-securitypolicyviolationevent-2">5.3. 
     Report a violation </a> <a href="#ref-for-securitypolicyviolationevent-3">(2)</a>
+    <li><a href="#ref-for-securitypolicyviolationevent-4">7.4. Violation Reports</a>
    </ul>
   </aside>
   <aside class="dfn-panel" data-for="dom-securitypolicyviolationevent-documenturi">
@@ -6837,6 +6843,7 @@ <h2 class="no-num no-ref heading settled" id="issues-index"><span class="content
     Obtain the deprecated serialization of violation </a>
     <li><a href="#ref-for-dom-securitypolicyviolationevent-sample-2">5.3. 
     Report a violation </a>
+    <li><a href="#ref-for-dom-securitypolicyviolationevent-sample-3">7.4. Violation Reports</a>
    </ul>
   </aside>
   <aside class="dfn-panel" data-for="dom-securitypolicyviolationevent-disposition">
diff --git a/index.src.html b/index.src.html
index d82e566971..2f17dde695 100644
--- a/index.src.html
+++ b/index.src.html
@@ -3965,6 +3965,13 @@ <h3 id="security-violation-reports">Violation Reports</h3>
   sensitive information contained in the redirected URL, such as session
   identifiers or purported identities. For this reason, the user agent includes
   only the URL of the original request, not the redirect target.
+
+  Note also that violation reports should be considered attacker-controlled data. Developers who
+  wish to collect violation reports in a dashboard or similar service should be careful to properly
+  escape their content before rendering it (and should probably themselves use CSP to further
+  mitigate the risk of injection). This is especially true for the "`script-sample`" property of
+  violation reports, and the {{SecurityPolicyViolationEvent/sample}} property of
+  {{SecurityPolicyViolationEvent}}, which are both completely attacker-controlled strings.
 </section>
 
 <!-- Big text: Authoring -->