-
I thought I have seen something like report-uri for SRI, but going over the spec cannot find anything similar.
It'd be nice to know when at least primary source integrity check fails.
-
The rules of cross-frame string compilation have some counter-intuitive results.
"If a parent frame *forbids* 'unsafe-eval' and a child frame *allows* 'unsafe-eval', and both are on the same origin…
-
I work for a large-scale adserving company who hosts third-party creatives on our CDN. One of the challenges we have at the moment is controlling the scope of the Permissions API. Consider the follo…
-
This issue was ported from https://github.com/WebKit/explainers/issues/44.
> What is the benefit to an application in knowing the value of isLoggedIn? My impression is that there's little to no ben…
-
Gaming companies often host binaries through a CDN, and these CDNs sometimes also host unwanted software. Browsers rely on technologies such as [Safe Browsing](https://www.google.com/transparencyrepor…
-
I can't find any documentation of the labels in use in this repo. I'd like to write that documentation, and based on that work out some triage process for groups of labels.
@tobie, where is the cod…
-
```
HTTP splitting attack in WebGoat is demonstrated on a code, which is actually
not vulnerable to HTTP splitting itself (at least not in common today's
browsers). This makes it confusing to the st…
-
```
HTTP splitting attack in WebGoat is demonstrated on a code, which is actually
not vulnerable to HTTP splitting itself (at least not in common today's
browsers). This makes it confusing to the st…
-
```
HTTP splitting attack in WebGoat is demonstrated on a code, which is actually
not vulnerable to HTTP splitting itself (at least not in common today's
browsers). This makes it confusing to the st…
-
Following up from the presentation today, I'd like to eventually propose moving the Trust Token API work from the WICG to the Anti-Fraud CG.
Current Documents: https://github.com/WICG/trust-token-a…