-
```
What steps will reproduce the problem?
1. Add the following string to a URL that loads rsh.js:
#foobar'onload='alert("XSS")
What is the expected output? What do you see instead?
Expected b…
-
Per https://github.com/w3c/webappsec-feature-policy/issues/189#issuecomment-627339552 the spec is still in flux.
https://featurepolicy.info/ only lists Chrome and Firefox, and https://caniuse.com/#…
-
[draft right now, please ignore if you are not joel ;)]
Right now, Section 4 focuses on particular examples like XHR, CORS etc for fetches. Instead, we should treat all fetches as crossorigin (e.g., …
-
Nick Doty npdoty@w3.org to public-webappsec, public-privacy
Hi WebAppSec/Permissions folks, (CC Privacy Interest Group for their awareness and in case they have feedback)
I remain concerned about th…
-
The [feature policy description](https://github.com/WICG/feature-policy/blob/master/policies/animations.md) appears to have a lot of inaccuracies. e.g.
> In order to produce animations on the web, …
-
Presently, [credman](https://w3c.github.io/webappsec-credential-management/)'s [create-a-cred](https://w3c.github.io/webappsec-credential-management/#algorithm-create) and [request-a-cred](https://w3c…
-
I would like to ask to extent the possibilities of SRI, by adding some form of signature-checking.
This would most probably be a 'version 2.0' request ;).
**Why?**
Currently webdevelopers (of the…
-
## Module
Collector.jar
## File Path
com/trgr/infra/collector/config/DatabaseConfigurationParser.java
## Line
497
## Description
This database query contains a SQL injection flaw. The call to …
-
**Describe the issue**
A dependency, [cbor-x](https://github.com/kriszyp/cbor-x/), triggers CSP errors due to its requirement for `unsafe-eval`. This is observed in the dependency's code, leading to …
-
The [parser-inserted](https://html.spec.whatwg.org/multipage/scripting.html#parser-inserted) flag is passed to `parser metadata` which is used in CSP to determine whether scripts are allowed to run. I…