-
I'm running into a weird situation in practice in both FF and Chrome where if I send `frame-src 'nonce-...';`, the browsers still don't allow a nonce-tagged iframe to load. Chrome even explicitly retu…
-
Nowadays, we have two ways for authorization on web browser:
1. username and password;
2. OAuth( I think `email + verification code`, `phone number + sms code` are just another appearance of OAuth)…
-
I have a question about the behavior of explicitly `worker-src 'strict-dynamic'`. Workers are obviously not parser-inserted so for script-src and script-src-elem the [Script directives pre-request che…
-
Continuation of https://www.w3.org/Bugs/Public/show_bug.cgi?id=23878#c20.
> I'd be nice if there was an ~observer API that allowed an application to be notified when new fetch requests are added to t…
-
# Document title, URLs, estimated publication date
Fetch Metadata
https://mikewest.github.io/sec-metadata/
Whenever.
(I suppose we'll need to update this once it's moved to the webappsec repo …
-
# Document title, URLs, estimated publication date
Feature Policy
https://gitcdn.link/cdn/w3c/webappsec-feature-policy/db9265d373a695ceb58652144abd65573c4aa213/index.html
April 2, 2019
# Abstrac…
-
Right now the only way to allow `eval` (or the equivalent `new Function`) is by using the `unsafe-eval` policy. This policy should be used as little as possible, because it allows \*any\* usage of eva…
-
No WPT for https://html.spec.whatwg.org/multipage/browsing-the-web.html#create-navigation-params-by-fetching step 19.3 exists.
It's relevant for TT because above step calls [1] and that calls [2].…
-
SHA-3 has been published. Why not require (or strongly suggest) support for it as well?
-
This issue was ported from https://github.com/WebKit/explainers/issues/44.
> What is the benefit to an application in knowing the value of isLoggedIn? My impression is that there's little to no ben…