bakkot
commented
7 months ago Can I suggest spending some time revisiting some of the long-standing spec bugs in the CSP spec? I got bit by https://github.com/w3c/webappsec-csp/issues/609, and it looks like Safari is following the spec (i.e. not respecting worker-src 'strict-dynamic') rather than - well, there's nothing else for it to follow (including no tests that I can find), so I guess "rather than doing what Chrome does". If worker-src 'strict-dynamic' is to actually be usable it's going to need the spec fixed so Safari will update.
There's a few more, like https://github.com/w3c/webappsec-csp/issues/426, https://github.com/w3c/webappsec-csp/issues/523, https://github.com/w3c/webappsec-csp/issues/423, etc, though I think mostly these haven't lead to implementation issues like the one above.
More generally, getting a more consistent story around hashes, nonces, and strict-dynamic would be of great help. There's a bunch of stuff which has come up over the years - https://github.com/w3c/webappsec-csp/issues/632, https://github.com/w3c/webappsec-csp/issues/375, https://github.com/w3c/webappsec-csp/issues/623, https://github.com/w3c/webappsec-csp/issues/625, https://github.com/w3c/webappsec-csp/issues/433, https://github.com/w3c/webappsec-csp/issues/487, https://github.com/w3c/webappsec-csp/issues/212, etc.
mozfreddyb
kyraseevers
Planning the 2024-01-17 WebAppSec meeting. A few potential topics come to mind:
Trusted Types, given Mozilla's rekindled interest. Perhaps @koto, @otherdaniel, @mozfreddyb would be interested in chatting through some of the outstanding issues raised in those comments/against the spec?
:visitedpartitioning. @kyraseevers has been pushing ahead with infrastructure changes in Chromium. Perhaps there's interest in discussing some of the feedback (e.g. https://github.com/w3ctag/design-reviews/issues/896#issuecomment-1850567441)?Cross-Origin-Opener-Policy: restrict-properties. @camillelamy might have feedback to share from the Origin Trial Chrome's currently running?Your idea goes here.