issues
search
w3c
/
webappsec-csp
WebAppSec Content Security Policy
https://w3c.github.io/webappsec-csp/
Other
207
stars
78
forks
source link
issues
Newest
Newest
Most commented
Recently updated
Oldest
Least commented
Least recently updated
Dany
#681
Dannyss18
closed
1 week ago
0
port-part being null is not handled
#680
evilpie
opened
3 weeks ago
0
Feedback request on not capturing the caller in `new Function` and indirect `eval`
#679
nicolo-ribaudo
opened
1 month ago
0
"pre-navigation-check"
#678
mbrodesser-Igalia
closed
1 month ago
0
Should font-src reporting kick in on font-face reference or font request?
#677
robinwhittleton
opened
1 month ago
6
loading local stylesheets without self source
#676
nizos
opened
1 month ago
2
Consider using SecurityPolicyViolationEvent.sourceFile a USVString
#674
emilio
opened
2 months ago
1
CSP spec not user-friendly
#673
galund
opened
2 months ago
0
CSP Report Does Not Reflect Redirected Blocked Domains
#672
ConardLi
opened
2 months ago
7
Queries about exfiltration?
#671
Blason
closed
2 months ago
2
Even though I have domains specified in the CSP policy violations still appear
#670
Blason
closed
2 months ago
2
`report-sample` is not checked when firing "securitypolicyviolation" events
#669
mbrodesser-Igalia
closed
3 months ago
1
Fix .pr-preview.json
#668
lukewarlow
closed
3 months ago
2
[Meta] PR Previews not working
#667
lukewarlow
closed
3 months ago
0
"trusted-types-policy" missing from a violation's resource
#666
mbrodesser-Igalia
closed
3 months ago
1
Add `trusted-types-eval` source expression for `script-src`
#665
lukewarlow
opened
4 months ago
2
Add new CSP sandbox directive to allow SameSite=None cookies on top-level frames
#664
DCtheTall
opened
4 months ago
7
Fix check of request initiator being "fetch"
#663
antosart
opened
4 months ago
0
frame-src is not effective in restricting the possible origins of subframes
#662
antosart
opened
4 months ago
0
Qqqq
#661
Nik12325
closed
4 months ago
0
Request's initiator can't be "fetch"
#660
zcorpan
opened
4 months ago
0
Upstream Trusted Types enforcement in EnsureCSPDoesNotBlockStringCompilation
#659
lukewarlow
closed
3 weeks ago
5
Possibility to block all javascript: URLs
#658
Sjord
opened
5 months ago
3
Correctly match `*` as a `host-part`.
#657
mikewest
closed
5 months ago
3
host-part match doesn't handle *
#656
evilpie
closed
5 months ago
1
Add notes about non-normativity.
#655
mikewest
closed
5 months ago
1
Fix script post-request check for scripts allowed by hashes
#654
antosart
closed
5 months ago
0
strict-dynamic and SRI
#653
annevk
closed
5 months ago
3
Content Security Policy (CSP) Bypass via Same-Origin iFrames
#652
RedYetiDev
closed
6 months ago
1
Upstream trusted type changes
#651
lukewarlow
opened
6 months ago
1
Update EnsureCSPDoesNotBlockStringCompilation to match updated HostEnsureCanCompileStrings definition
#650
lukewarlow
closed
3 months ago
4
Document columnNumber format
#649
stefnotch
opened
6 months ago
1
Google Analytics URLs
#648
cristiandelgadod
opened
7 months ago
1
Confusion revolving around sandbox 'allow-top-navigation' directive
#647
franklyn07
closed
6 months ago
2
Fix reference link for [TIMING]
#646
antosart
closed
7 months ago
0
Remove required condition on the attributes fror SecurityPolicyViolationEventInit dict
#645
SaeidEid
closed
7 months ago
0
[TIMING] references broken
#644
bkardell
closed
7 months ago
0
"Is element nonceable" not applied to non-<script> elements in Chrome?
#643
evilpie
opened
7 months ago
0
Add `[SecureContext]` tag to the interfaces
#642
OnkarRuikar
closed
2 months ago
1
Why is the Content-Security-Policy-Report-Only header field not supported in `<meta>` elements?
#640
mbrodesser-Igalia
closed
7 months ago
5
Add optional trailing dot to host-part
#639
SaeidEid
closed
8 months ago
1
`service-worker-src` directive
#638
bakkot
opened
8 months ago
0
Resource hint: check directives explicitly
#637
noamr
opened
8 months ago
0
Is-element-nonceable should check if the attribute's name |contains| <script or <style>
#636
evilpie
closed
8 months ago
0
Does "Is Element Nonceable" apply to non-inline scripts?
#635
evilpie
opened
8 months ago
1
Chrome/Safari trim nonces
#634
evilpie
opened
9 months ago
11
Resource hint blocking / "least restrictive" as specified does nothing?
#633
evilpie
opened
9 months ago
4
Some way to allow workers other than URL and strict-dynamic
#632
bakkot
opened
9 months ago
0
Problem with SecurityPolicyViolationEvent constructor and optional init dict
#631
evilpie
closed
7 months ago
9
Replace RFC7231 with RFC9110
#630
antosart
closed
10 months ago
0
Next