-
The problem involves how HTML FORM inputs are exposed on the parent `` element. It was originally introduced in the MS Internet Explorer as far back as JavaScript 1.0 and eventually copied by most of …
-
I can't find any documentation of the labels in use in this repo. I'd like to write that documentation, and based on that work out some triage process for groups of labels.
@tobie, where is the cod…
-
the policy
```
object-src 'none'; object-src 'self';
```
right now enforces "'none'". Instead, I think it should append to the list of allowed object sources.
CSP is already eminently unprogrammab…
-
Following up from the presentation today, I'd like to eventually propose moving the Trust Token API work from the WICG to the Anti-Fraud CG.
Current Documents: https://github.com/WICG/trust-token-a…
-
```
HTTP splitting attack in WebGoat is demonstrated on a code, which is actually
not vulnerable to HTTP splitting itself (at least not in common today's
browsers). This makes it confusing to the st…
-
```
HTTP splitting attack in WebGoat is demonstrated on a code, which is actually
not vulnerable to HTTP splitting itself (at least not in common today's
browsers). This makes it confusing to the st…
-
For a modern website with a lot of JS files, the overhead of loading SHA hashes of each and every file it might need ever adds up to quite a bit overhead. We should allow the page to provide a public …
-
The goal is to remove `unsafe-eval` from the CSP of PrivateBin.
## Reason it is included
> The `unsafe-eval` is required in Chrome and Safari for WASM loading. If not set, calling WebAssembly.in…
rugk updated
5 months ago
-
In order to be more flexible about server hosting options. Requiring two ports makes it more difficult to host with shared hosting providers in case you don't want it running on your local machine.
-
Currently, data exchange capabilities that are exposed to the Web are restricted through [CSP connect-src](https://www.w3.org/TR/CSP3/#directive-connect-src), which restricts which origins can be conn…