w3c webappsec-csp issues

w3c / webappsec-csp

WebAppSec Content Security Policy

https://w3c.github.io/webappsec-csp/

Other

210 stars 78 forks source link

issues

Newest

Newest Most commented Recently updated Oldest Least commented Least recently updated

Consider recommending the usage of events instead of CSP reports for CSP WPTs

#690 mbrodesser-Igalia opened 2 days ago
0
Getting "Refused to execute inline script because it violates the following Content Security Policy directive:" Error

#689 JyotiPMallick closed 4 days ago
5
Assigning `location.href` to a `javascript:...` is a form of eval

#688 dinofx opened 2 weeks ago
9
Should "Should navigation request of type be blocked by Content Security Policy?" set the violation object's element?

#687 mbrodesser-Igalia opened 4 weeks ago
0
How to set CSP without unsafe-inline for site with ads?

#686 Wowhere closed 1 month ago
6
Fix parsing response's CSP type mismatch

#685 antosart closed 1 month ago
0
Parse response’s CSPs parsing header list values type mismatch

#684 0x4261756D closed 1 month ago
0
Introduce 'connect-certificate-hash' for WebTransport

#683 jan-ivar opened 1 month ago
1
CSP headers are incorrect with multiple rules

#682 letanloc1998 opened 1 month ago
3
Dany

#681 Dannyss18 closed 1 month ago
0
port-part being null is not handled

#680 evilpie opened 2 months ago
0
Feedback request on not capturing the caller in `new Function` and indirect `eval`

#679 nicolo-ribaudo opened 2 months ago
0
"pre-navigation-check"

#678 mbrodesser-Igalia closed 2 months ago
0
Should font-src reporting kick in on font-face reference or font request?

#677 robinwhittleton opened 3 months ago
6
loading local stylesheets without self source

#676 nizos opened 3 months ago
2
Consider using SecurityPolicyViolationEvent.sourceFile a USVString

#674 emilio opened 3 months ago
1
CSP spec not user-friendly

#673 galund opened 4 months ago
0
CSP Report Does Not Reflect Redirected Blocked Domains

#672 ConardLi opened 4 months ago
8
Queries about exfiltration?

#671 Blason closed 4 months ago
2
Even though I have domains specified in the CSP policy violations still appear

#670 Blason closed 4 months ago
2
`report-sample` is not checked when firing "securitypolicyviolation" events

#669 mbrodesser-Igalia closed 4 months ago
1
Fix .pr-preview.json

#668 lukewarlow closed 5 months ago
2
[Meta] PR Previews not working

#667 lukewarlow closed 5 months ago
0
"trusted-types-policy" missing from a violation's resource

#666 mbrodesser-Igalia closed 5 months ago
1
Add `trusted-types-eval` source expression for `script-src`

#665 lukewarlow opened 5 months ago
2
Add new CSP sandbox directive to allow SameSite=None cookies on top-level frames

#664 DCtheTall opened 6 months ago
7
Fix check of request initiator being "fetch"

#663 antosart closed 1 month ago
0
frame-src is not effective in restricting the possible origins of subframes

#662 antosart opened 6 months ago
3
Qqqq

#661 Nik12325 closed 6 months ago
0
Request's initiator can't be "fetch"

#660 zcorpan closed 1 month ago
0
Upstream Trusted Types enforcement in EnsureCSPDoesNotBlockStringCompilation

#659 lukewarlow closed 2 months ago
5
Possibility to block all javascript: URLs

#658 Sjord opened 6 months ago
3
Correctly match `*` as a `host-part`.

#657 mikewest closed 7 months ago
3
host-part match doesn't handle *

#656 evilpie closed 7 months ago
1
Add notes about non-normativity.

#655 mikewest closed 7 months ago
1
Fix script post-request check for scripts allowed by hashes

#654 antosart closed 7 months ago
0
strict-dynamic and SRI

#653 annevk closed 7 months ago
3
Content Security Policy (CSP) Bypass via Same-Origin iFrames

#652 RedYetiDev closed 7 months ago
1
Upstream trusted type changes

#651 lukewarlow opened 8 months ago
1
Update EnsureCSPDoesNotBlockStringCompilation to match updated HostEnsureCanCompileStrings definition

#650 lukewarlow closed 5 months ago
4
Document columnNumber format

#649 stefnotch opened 8 months ago
1
Google Analytics URLs

#648 cristiandelgadod opened 8 months ago
1
Confusion revolving around sandbox 'allow-top-navigation' directive

#647 franklyn07 closed 8 months ago
2
Fix reference link for [TIMING]

#646 antosart closed 9 months ago
0
Remove required condition on the attributes fror SecurityPolicyViolationEventInit dict

#645 SaeidEid closed 9 months ago
0
[TIMING] references broken

#644 bkardell closed 9 months ago
0
"Is element nonceable" not applied to non-<script> elements in Chrome?

#643 evilpie opened 9 months ago
0
Add `[SecureContext]` tag to the interfaces

#642 OnkarRuikar closed 4 months ago
1
Why is the Content-Security-Policy-Report-Only header field not supported in `<meta>` elements?

#640 mbrodesser-Igalia closed 9 months ago
5
Add optional trailing dot to host-part

#639 SaeidEid closed 10 months ago
1