-
As a "non-expert" and someone trying to understand the specs, take a look at the example below which has both an inline script and a script resource which contain `alert('Hello, world.');`
```
alert…
-
Google Chrome and the ostensibly open source browser Chromium implementation of `SpeechRecognition` records the user voice and sends the users' biometric data to a remote web service https://bugs.chro…
-
- [x] Check if the header is sent for non-HTML resources (e.g.: on images, fonts, etc.) - done in https://github.com/MicrosoftEdge/Sonar/commit/c55bdfb8f57b3d6a4b48bd1ed5caab25d6a20171.
- [ ] Check f…
alrra updated
4 years ago
-
Proposing a new feature policy for lazy-loading which will overwrite the default or specified behavior of `lazyload` [attribute](https://github.com/whatwg/html/pull/3752) for `` and ``. The proposed n…
-
```
Some password hashing systems make use of a so-called "pepper". Like a salt,
but there is a single one, stored externally from the password database, and
hopefully in a manner which is as diffic…
-
chrome://settings/security has a feature (on by default IIRC) that warns if your credentials have been exposed in a breach:
we should look into enabling this in Brave. the Chrome implementation…
-
```
Some password hashing systems make use of a so-called "pepper". Like a salt,
but there is a single one, stored externally from the password database, and
hopefully in a manner which is as diffic…
-
Raising this separately from #107 as that is mostly focused on the other types (which go through Fetch).
See @samuelhorwitz's comment at https://github.com/whatwg/fetch/issues/658#issuecomment-3560…
-
The CSP 3 spec does not allow Content-Security-Policy-Report-Only headers in meta tags. This can prevent sites from safely testing CSP prior to enforcing the policy with a Content-Security-Policy meta…
-
Firefox fails this test, but looking at the network tab, it appears that the script (https://mixed-script.badssl.com/nonsecure.js) has been accidentally upgraded to https