-
> The new `upgrade-insecure-requests` Content Security Policy directive can be used to transparently upgrade insecure resource requests to secure variants. This avoids the mixed content warnings witho…
-
I'm almost certainly missing something here, and I'm not sure if this is the best venue to ask a question like this (I considered SO - seems off-topic), but:
I'm wondering if it's possible to allow…
-
Document https://www.w3.org/TR/upgrade-insecure-requests/ uses therminology like "**a priori insecure origins**" or "**potentially secure**" with links to **mixed content** spec (e.g. https://w3c.gith…
-
There are a lot of [capability URLs](https://www.w3.org/TR/capability-urls/) out there, but both browsers and servers are oblivious to the fact that a certain URL is a capability one.
If browsers w…
-
https://github.com/mikewest/sec-metadata/issues/20 aims to specify a feature which would distinguish between browser-initiated navigation (e.g. a user clicks on a bookmark, or types into the address b…
-
WPT xhr/xmlhttprequest-sync-default-feature-policy (via feature-policy/resources/featurepolicy.js) expects an "allow" attribute to exist on an iframe that just came out of document.createElement. I do…
-
Coming from the Chromium bug report [742485](https://bugs.chromium.org/p/chromium/issues/detail?id=742485) and its corresponding [CL](https://chromium-review.googlesource.com/c/chromium/src/+/2673406?…
-
Throughout the specification it's very much unclear where certain state in algorithms is pulled from. E.g., https://fedidcg.github.io/FedCM/#fetch-the-manifest does not make it clear it takes a provid…
-
Hi,
we at Mozilla are increasing our readiness to adopt the [upgrading of mixed content](https://www.w3.org/TR/mixed-content/#upgrade-algorithm) and intend to ship it in Nightly soon.
Something we…
-
For example, if I have
```html
x = document.createElement('script');
x.textContent = 'console.log(0)';
document.head.appendChild(x);
```
on a page with a CSP of `script-src 'strict-dynamic' …