From 85191f8ce2c8c7e8ce27f32ac3a9308a68dcbe8a Mon Sep 17 00:00:00 2001
From: Douglas Creager <dcreager@dcreager.net>
Date: Wed, 26 Jun 2019 10:58:07 -0400
Subject: [PATCH] Add note about capability URLs

There can still be sensitive information in URLs, even after we strip
out username, password, and fragment.  This patch adds a recommendation
for admins to run their own collectors if they have URLs like this.
---
 index.src.html | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/index.src.html b/index.src.html
index 26c9481..a7863da 100644
--- a/index.src.html
+++ b/index.src.html
@@ -1510,6 +1510,11 @@ <h3 id="capability-urls">Capability URLs</h3>
   <a>report</a>'s originator. It is still possible, however, for a feature
   to unintentionally leak such data via a report's [=report/body=]. Implementers
   SHOULD ensure that URLs contained in a report's body are similarly stripped.
+
+  Even with this information stripped, there might still be sensitive
+  information encoded in the remainder of the URL. Administrators of sites that
+  use URLs in this way SHOULD consider operating their own Reporting API
+  collectors, to prevent the reporting of such URLs to third parties.
 </section>
 
 <section>