-
Hello.
I recently learned of the polyfill.io malware issue.
Currently, SRI is supported in all major browsers.
Therefore, if the integrity attribute is specified correctly, it is possible to prev…
-
This is a complicated issue about which we've had several discussions discussions over the years (e.g. https://github.com/w3c/webappsec-csp/issues/15, https://github.com/w3c/webappsec-csp/issues/146, …
-
As per https://github.com/w3c/webappsec-csp/issues/509#issuecomment-925630075 these might have broader applicability than I would have expected.
(Though perhaps the case there is that the parent is…
-
The README.md alludes to standard mechanisms for password changing etc but doesn't reference any of them. @WICG has published one such standard, it would be good to link to it. If there are other ones…
pabs3 updated
4 years ago
-
If a website retrieves a PSL matched credential via a user mediated `get()` and then calls `store()` on the credential, the credential can become eligible for unmediated provisioning.
Assume the us…
-
Context: https://github.com/w3c/webappsec-secure-contexts/issues/82#issuecomment-776096228
Now that w3c/webappsec-secure-contexts#84 has landed and the HTML spec speaks only in terms of creation UR…
-
I'm opening this issue to discuss whether and what parts of the trusted types spec should be upstreamed to the CSP spec.
We currently define extensions to the CSP spec in https://w3c.github.io/trus…
-
If the Blink implementation of CSPEE is still the only implementation, and if we don’t have any new indications of interest from the Gecko or WebKit projects in implementing it, do we still want to ke…
-
**Is your feature request related to a problem? Please describe.**
Currently, no `Feature-Policy` is specified.
**Describe the solution you'd like**
Specify `Feature-Policy` in an allow-nothing s…
-
Based on feedback from @annevk.
We could consider promoting the use of TLS (and further limiting the attack surface slightly) by limiting the feature to secure contexts. This would permit use on HT…