-
As specified in https://github.com/w3c/webappsec-csp/pull/457, the default for "webrtc" is "on", due to Web compatibility.
At the moment, RTCPeerConnection is only available in [Window] context; ht…
-
I'm working on a project to only have up-to-date specifications referenced from MDN.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/plugin-types documents plugin-ty…
-
(Please close https://github.com/w3c/webappsec/issues/513 if this is the more appropriate forum for the request)
As it stands, it seems that I need to explicitly add `example.com` and `cdn.example.…
-
### What is the issue with the Fetch Standard?
A `header name` has to match the `field-name` syntax (which is token) and does not allow all kind of values such as 0x00.
The specifications do not see…
-
Assume a document nesting scenario of A1 -> B -> A2 whereby A1 and A2 are same-origin with each other and cross-site with B. In the real world this sometimes materializes as a publisher embedding an a…
-
We (@otherdaniel and I) want to help with and ensure well-specified interactions between the Sanitizer API and HTML.
Specifically, we were thinking of this split:
Sanitizer API
- Sanitizer interf…
-
# 🔵TODO
- [ ] Handle #22
- [ ] Create a presentation of the project using the following guidelines:
![image](https://github.com/user-attachments/assets/dc75ecc3-e307-4b1d-a8c7-8e068e75eec8)
…
-
As noted in http://www.w2spconf.com/2012/papers/w2sp12-final11.pdf and discussed a bit in https://github.com/w3c/webappsec-csp/issues/186, an unclosed `target` attribute of `` can inadvertently suck u…
-
```
What steps will reproduce the problem?
1. Add the following string to a URL that loads rsh.js:
#foobar'onload='alert("XSS")
What is the expected output? What do you see instead?
Expected b…
-
Per [MDN](https://developer.mozilla.org/en-US/docs/Web/API/WindowOrWorkerGlobalScope/fetch), `fetch` can take a `FederatedCredential` as `credentials` for the `init` param:
> `credentials`: The req…