-
https://w3c.github.io/trusted-types/dist/spec/#should-block-create-policy step 9 sets a violation's resource to "trusted-types-policy".
https://w3c.github.io/webappsec-csp/#violation-resource doesn…
-
Should access to http://127.0.0.0/8 or ::1/128 be considered safe for mixed content policy? We have noticed that some browsers have allowed http://127.0.0.1, but still consider access to other addre…
-
Abstract
This document describes how an author can set a referrer policy for documents they create, and the impact of such a policy on the Referer HTTP header for outgoing requests…
-
nopCommerce version: nopCommerce_4.70.0_NoSource_linux_x64.zip
Steps to reproduce the problem: A CGI application hosted on the remote web server is potentially prone to
SQL injection attack.
By s…
-
## Request for Mozilla Position on an Emerging Web Specification
* Specification title: Content Security Policy (and Trusted Types)
* Specification or proposal URL (if available): https://gith…
-
There seems to be a bunch of inline scripts or style rules [such as this](https://github.com/go-gitea/gitea/blob/master/templates/repo/settings/hook_settings.tmpl#L24) that don't play nice with CSP. T…
-
Long story short, I've been using this to distribute files meant to be view locally, rather than on a server. CryptoJS, it's embeddable nature, and the fact that it doesn't require HTTPS served my pur…
-
I may be missing something but the spec doesn't make it clear that the policy is ephemeral and only applies to the document rendered from the HTTP response where the policy header was found.
If tha…
-
CSP currently has a few gaps that prevent it from being a useful anti-exfiltration mechanism. https://www.w3.org/TR/CSP3/#exfiltration hints that preventing data exfiltration may be a goal, but it's n…
-
I'd like to propose a change to the ServiceWorker spec that allows for applications which cannot be forced by the server to install updates.
### Background
Native applications have a significant secu…