-
_From @mikewest on August 22, 2015 0:1_
After a quick chat with @briansmith, I think I'm convinced that it would be worth giving subresource fetches the capability of canceling themselves based on th…
-
My interpretation of CSP level 2 was always that child-src applied both to the (at that time) deprecated frame-src context and added web workers. I personally only use one web worker and it is served …
-
We (@otherdaniel and I) want to help with and ensure well-specified interactions between the Sanitizer API and HTML.
Specifically, we were thinking of this split:
Sanitizer API
- Sanitizer interf…
-
Permissions-Policy for internet.nl could maybe get score A+ instead of A.
https://securityheaders.com/?q=internet.nl&followRedirects=on
There could be some reason not to implement.
-
A clean list of features that will be welcome from contributors.
**How to ?**
1. Choose something in the list or write your own proposition
2. Create an issue and write down what you have chose…
-
Pretty please.
-
Ties into issue #33
By creating an unconfined child context, before becoming confined, it is possible to leak secrets to it.
# Leaking Information
```
…
-
The spec does not give precise guidelines for dealing with failed logins.
Assume the following setup:
- User has one credential stored with required user mediation being false.
- The website cont…
-
```
What steps will reproduce the problem?
1. Add the following string to a URL that loads rsh.js:
#foobar'onload='alert("XSS")
What is the expected output? What do you see instead?
Expected b…
-
MDN URL: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src
#### What information was incorrect, unhelpful, or incomplete?
Documentation says that `docum…