-
When looking at blob loads with CSP, I noted a few things:
- frame-src 'self' will allow blob navigations and downloads.
- script-src 'self' will make blob script loads fail.
I think it is ok to …
-
A sandboxed srcrdoc iframe will have its origin as "null" so its origin will not be trustworthy but the iframe will be considered as secure context according https://w3c.github.io/webappsec-secure-con…
-
https://github.com/w3c/spec-prod is a new, specialized tool that easily automates all steps of building, validating, and publishing specs. To set it up, we just need to add one GitHub Actions file. Se…
-
Maybe we should add the reverse of `PasswordCredential(HTMLFormElement)` to populate a form from a PasswordCredential.
Use case:
A website that has existing logic to asynchronously sign-in the use…
-
### MDN URL
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
### What specific section or headline is this issue about?
``
### What informa…
-
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
-
Should link to https needed for pwa and Bluetooth support
-
In https://w3c.github.io/payment-method-id/#validation the following security checks are performed:
* If url's scheme is not "https", return false.
* If url's username or password is not the empty…
-
Currently the 'payment' extension is specified to allow credential creation in a cross-origin iframe:
```
1. Modify step 2 (the check for sameOriginWithAncestors) as follows:
- If sameOrigi…
-
The `index.bs` and `index.html` files are continually updated in the `master` branch but the changes don't routinely make their way over to the `gh-pages` branch and published docs at https://w3c.gith…