-
## What change would you like to see?
When attempting to review a particular page from the QA tab, I would like to be shown _why_ the QA UI fails to load whenever it fails to do so (as indeed may h…
-
_From @dconnolly on July 19, 2017 18:44_
For some static hosts (*cough* S3 *cough*) dynamic response headers or custom HTTP headers are not available, so they cannot serve `Content-Security-Policy` o…
-
Currently, 3rd parties will only be sent client hints if both:
- Accept-CH is set to request the relevant headers.
- Feature-Policy / Permissions-Policy is set to allow each 3rd party access to ea…
-
As of right now, we will need to write unit tests for functions in `src/sanitizer.js` and integration tests for `Sanitizer` methods.
We might be able to draw inspiration from [the testing setup](ht…
-
Consider the [example](https://github.com/DCtheTall/CHIPS#third-party-locator-service) of `embed.maps.com`, the locator service that `example.com` embeds on their site which sets a cookie to remember …
-
**Is your feature request related to a problem? Please describe.**
[Permissions Policy, W3C Working Draft, 16 July 2020](https://www.w3.org/TR/permissions-policy-1/) specifies that `Feature-Policy`…
kroko updated
1 month ago
-
Consider the following testcase:
1) A parent page has a frame-src CSP directive restricting to the same site.
2) The parent page has a subframe that does not have CSP defined at all and contains a…
-
The [introduction](https://w3ctag.github.io/packaging-on-the-web/#intro) says:
> Initiatives such as Firefox OS and Chrome OS demonstrate the potential of trusted, installable applications built with…
-
Here is what the current specification says:
> Let the default sources be the result of parsing the **_default-src_** directive’s value as a source list if a `default-src` directive is explicitly spe…
april updated
8 years ago
-
```
What steps will reproduce the problem?
1. Add the following string to a URL that loads rsh.js:
#foobar'onload='alert("XSS")
What is the expected output? What do you see instead?
Expected b…