-
For simplicity, let's start at https://html.spec.whatwg.org/multipage/links.html#following-hyperlinks-2 for a javascript: URL.
Step 12 creates a new request. It's not clear what its **client** is …
-
```
What steps will reproduce the problem?
1. Add the following string to a URL that loads rsh.js:
#foobar'onload='alert("XSS")
What is the expected output? What do you see instead?
Expected b…
-
`ServiceWorkerRegistration.showNotification()` has an `icon` and `image` options. It is not clear from the standard whether those resources must be served over https or if http is acceptable as well.
…
-
Section 4.3 links to a _a priori insecure_ definition in the mixed content specification but the term is no longer defined there.
I think this should be (not) a _a priori authenticated URL_ now?
-
On script/style [pre-request](https://www.w3.org/TR/CSP3/#script-pre-request
) checks, if the integrity hashes match then we skip source-based matching check. This means that `script-src 'self' 'sha5…
-
I caught [this](https://twitter.com/Scott_Helme/status/792829254849486848) tweet from Scott Helme about the `require-sri-for` directive in CSP.
I already wrote an SRI `TagHelper` for ASP.NET Core w…
-
Resubmitting an issue from https://github.com/w3c/webappsec/issues/543
I would like to propose a way to restrict iframe from programmatically setting focus on any of its inputs. Restricting would m…
-
It would be good to provide a more solid spec foundation for https://w3c.github.io/webappsec-fetch-metadata/#directly-user-initiated; perhaps most of that section should move into HTML, replacing the …
-
[[DiscoverFromExternalSource]] can not be called with mediation "silent". Step 12.4 of [request a credential](https://w3c.github.io/webappsec-credential-management/#abstract-opdef-request-a-credential…
-
```
What steps will reproduce the problem?
1. Add the following string to a URL that loads rsh.js:
#foobar'onload='alert("XSS")
What is the expected output? What do you see instead?
Expected b…