-
In https://w3c.github.io/payment-method-id/#validation the following security checks are performed:
* If url's scheme is not "https", return false.
* If url's username or password is not the empty…
-
As it is, one could choose a different `responseType` than `"labeled-json"`, to access the received data, even if the server operator has set the Content-Type of the response to be equal `application/…
-
Currently the 'payment' extension is specified to allow credential creation in a cross-origin iframe:
```
1. Modify step 2 (the check for sameOriginWithAncestors) as follows:
- If sameOrigi…
-
The Web Application Security Consortium has a nice Threat Classification Taxonomy (http://projects.webappsec.org/w/page/13246975/Threat%20Classification%20Taxonomy%20Cross%20Reference%20View)
This is…
-
Similar to the attack suggested in https://github.com/whatwg/html/issues/2369, an attacker may be able to extract the nonce from a Content-Security-Policy specified via meta tag. I believe the `conten…
-
**It is impossible to give clipboard access to iframes.**
According to #https://github.com/w3c/webappsec-permissions-policy/issues/322#issuecomment-618009921 and [this bug report](https://bugs.chromi…
-
This has somewhat come up before in #221 but I think it's worth raising again.
With this specification being the core base to many other specifications, (e.g. [FedCM](https://w3c-fedid.github.io/Fe…
-
As some application security vendors started checking for the presence of the CSP header and raise lack of it as an issue, I think it's necessary to clarify when precisely for which resources it's rea…
-
[As presented at the [Secure the Web Forward Workshop](https://www.w3.org/2023/03/secure-the-web-forward/agenda.html#session-1) ([transcript, slides and video](https://www.w3.org/2023/03/secure-the-we…
twiss updated
8 months ago
-
From https://w3c.github.io/webappsec-secure-contexts/#is-url-trustworthy
> If url is "about:blank" or "about:srcdoc" return "Potentially Trustworthy".
I think the spec is not really explicit her…