-
Similar to #1321, we also need to propagate the request [URL list](https://fetch.spec.whatwg.org/#concept-request-url-list) through a service worker `evt.respondWith(fetch(evt.request))`. This is nec…
-
We discussed [Mixed Content Level 2](https://w3c.github.io/webappsec-mixed-content/level2.html) during [TPAC](https://github.com/w3c/webappsec/blob/master/meetings/2019/2019-09-TPAC-minutes.md#mix2), …
-
Trusted Types can be bypassed using `document.execCommand` with `insertHTML` as the first parameter and the injected content as the third argument. While `document.execCommand` does not have an offici…
-
Requiring host whitelist entries in script-src could render certain CSPs bypassable.
CSPs with a host whitelist in script-src can usually be bypassed with little effort [1]. For this reason CSPs that…
-
# ZAP Scanning Report
## Summary of Alerts
| Risk Level | Number of Alerts |
| --- | --- |
| High | 0 |
| Medium | |
| Low | 5 |
| Informational | 3 |
## Alerts
| Name | Risk Level | Number o…
-
The [Editor's Draft link](https://github.com/w3c/webappsec-fetch-metadata/blob/master/index.bs#L8) should point to the actual draft (`https://w3c.github.io/webappsec-fetch-metadata/`), not to the GitH…
-
Trusted Types uses the keyword 'none' to show that no policies are allowed:
https://w3c.github.io/webappsec-trusted-types/dist/spec/#trusted-types-csp-directive
This is used to enforce Trusted T…
-
## Request for Mozilla Position on intent to ship an Emerging Web Specification
* Specification Title: Content Security Policy (update for WebAssembly)
* Specification or proposal URL: Minimal spe…
-
From a thread with @annevk, @sicking, and friends:
> The question here is what "if it matches" means. Keep in mind that
> when the SW loads the request, it often won't know that it's doing a
> load f…
-
## Introduction
XSS is bad. CSP's syntax is obtuse, and it's trying to do too many things. What if we could _just_ target XSS?
[Read the complete Explainer][explainer]. Also the [spec](https://m…