-
Content addressing replaces the notion of a content "origin" with a trustless, p2p integrity checking, so you can reliably fetch content from any and all peers that have it. Domains as the content ori…
-
Per https://github.com/heycam/webidl/pull/423#issuecomment-326332460 this exists. I'd like to study such usage and see if we can get rid of it.
-
SecurityPolicyViolationEventInit data members naming doesn't seem to match browsers. In particular:
- WebKit & Blink use documentURI & blockedURI while the specification uses documentURL & blockedURL…
-
block-all-mixed-content doesn't actually appear in any CSP spec. It's only referenced in Mixed Content Section 4. "Strict Mixed Content Checking".
It seems like `block-all-mixed-content` would be the…
-
Many WHATWG specs now link to tests in the header:
* https://dom.spec.whatwg.org/
* https://fullscreen.spec.whatwg.org/
* https://notifications.spec.whatwg.org/
* and so on...
This is using the…
-
I assumed this was a given, but apparently people are surprised and don't really know or understand what should happen when SRI fails.
We should add a note that recommends more clearly...
a) what …
-
```
Some password hashing systems make use of a so-called "pepper". Like a salt,
but there is a single one, stored externally from the password database, and
hopefully in a manner which is as diffic…
-
Related to #904, #917, we should consider HSTS as well. Per https://webkit.org/blog/8146/protecting-against-hsts-abuse/ Safari has this.
What's written down there is not entirely unambiguous so I h…
-
The motivation of https://w3c.github.io/webappsec-subresource-integrity/ was to have safeguards for third-party scripts and style sheets, but with the introduction of module scripts (and also the exis…
-
From [AC Review](https://lists.w3.org/Archives/Public/public-review-comments/2024Mar/0000.html):
[[
We are concerned about the new "End-to-End Encryption email" proposed optional deliverable because…