public-webappsec@w3.org from November 2012: by subject

[Bug 19920] New: Don't allow space-separated origins in the syntax
- bugzilla@jessica.w3.org (Friday, 9 November)
[webappsec] ACTION REQUIRED: Call for Consensus on new WebAppSec WG Charter
- Hill, Brad (Thursday, 29 November)
- Arthur Barstow (Thursday, 29 November)
- Hill, Brad (Tuesday, 27 November)
[webappsec] Agenda for Teleconference of Nov 20, 2012
- Hill, Brad (Tuesday, 20 November)
[webappsec] Call for Consensus: CSP 1.1 to FPWD
- Jacob Rossi (Thursday, 29 November)
- Mike West (Thursday, 29 November)
- Adam Barth (Wednesday, 28 November)
- Jacob Rossi (Wednesday, 28 November)
- Eric Chen (Wednesday, 28 November)
- Jacob Rossi (Wednesday, 28 November)
- Adam Barth (Wednesday, 28 November)
- Adam Barth (Tuesday, 27 November)
- Fred Andrews (Tuesday, 27 November)
- Hill, Brad (Tuesday, 27 November)
[webappsec] call for reportURIs DOM API use cases
- Hill, Brad (Monday, 5 November)
[webappsec] New draft charter for discussion
- Hill, Brad (Tuesday, 20 November)
[webappsec] PLEASE RESPOND: poll for new teleconference time
- Hill, Brad (Thursday, 15 November)
[webappsec] Reminder, today's call is CANCELLED
- Hill, Brad (Tuesday, 6 November)
[webappsec] Remote participation in IETF websec meeting
- Hill, Brad (Monday, 5 November)
[webappsec] subsume X-XSS-Protection into CSP 1.1?
- Mike West (Saturday, 17 November)
- Adam Barth (Saturday, 17 November)
- Mike West (Saturday, 17 November)
- Adam Barth (Tuesday, 13 November)
- Mike West (Monday, 12 November)
- Adam Barth (Friday, 9 November)
- Hill, Brad (Thursday, 8 November)
- neil matatall (Thursday, 8 November)
- Adam Barth (Thursday, 8 November)
- Hill, Brad (Thursday, 8 November)
[webappsec] Teleconference Poll: time unchanged
- Hill, Brad (Wednesday, 21 November)
[webappsec] TPAC chatlog cleanup
- Hill, Brad (Monday, 19 November)
[webappsec] updated draft SVG: simple CORS request
- Mike West (Wednesday, 7 November)
- Hill, Brad (Wednesday, 7 November)
- Arthur Barstow (Wednesday, 7 November)
[websec] Call for Consensus: CORS to Candidate Recommendation
- Adam Barth (Wednesday, 21 November)
A11y for Web App Sec Anti clickjacking spec
- Hill, Brad (Wednesday, 21 November)
- Léonie Watson (Sunday, 18 November)
Batching CSP violation reports.
- Jacob Rossi (Monday, 5 November)
- Alex Russell (Monday, 5 November)
- Hill, Brad (Monday, 5 November)
- Mike West (Monday, 5 November)
- Ian Melven (Monday, 5 November)
- Mike West (Monday, 5 November)
Call for Consensus: CORS to Candidate Recommendation
- Arthur Barstow (Friday, 16 November)
- Odin Hørthe Omdal (Friday, 16 November)
- Hill, Brad (Thursday, 15 November)
Call for Exclusions: User Interface Safety Directives for Content Security Policy
- Ian Jacobs (Tuesday, 20 November)
CORS test status
- Hill, Brad (Wednesday, 21 November)
- Odin Hørthe Omdal (Wednesday, 21 November)
CSP and inline styles
- Dan Veditz (Friday, 2 November)
- L. David Baron (Friday, 2 November)
CSP, style-src, and what it means to ignore style attributes
- Adam Barth (Friday, 2 November)
- L. David Baron (Friday, 2 November)
how to protect javascript codes
- Dan Veditz (Monday, 19 November)
- Mountie Lee (Monday, 19 November)
- Dan Veditz (Saturday, 17 November)
- Mountie Lee (Saturday, 17 November)
- Mountie Lee (Saturday, 17 November)
- Hill, Brad (Saturday, 17 November)
- Dan Veditz (Saturday, 17 November)
- Mountie Lee (Saturday, 17 November)
ISSUE-20: If browsers apply this heuristic without an explicit opt-in policy, should we always block and not have the unsafe UIEvent property
- Web Application Security Working Group Issue Tracker (Thursday, 1 November)
ISSUE-21: Do assistive technologies send real events or synthetic events?
- Web Application Security Working Group Issue Tracker (Thursday, 1 November)
ISSUE-22: Are there cases of synthetic UIEvents where it would be useful to set the unsafe attribute even if the policy is block (so event is not delivered)
- Web Application Security Working Group Issue Tracker (Thursday, 1 November)
ISSUE-23: Are there cases of synthetic UIEvents where it would be useful to set the unsafe attribute even if the policy is block so event is not delivered
- Web Application Security Working Group Issue Tracker (Thursday, 1 November)
ISSUE-24: ();
- Web Application Security Working Group Issue Tracker (Thursday, 1 November)
ISSUE-25: Do frame-options directives (or other UISafety directives) make sense in a meta tag context?
- Fred Andrews (Sunday, 11 November)
- Fred Andrews (Sunday, 4 November)
- Web Application Security Working Group Issue Tracker (Thursday, 1 November)
ISSUE-26: Does the sandbox directive make sense in a meta tag context?
- Fred Andrews (Monday, 5 November)
- Web Application Security Working Group Issue Tracker (Thursday, 1 November)
ISSUE-27: Implementation concern on how to enforce display-time : should we provide more advice on how to do this efficiently?
- Web Application Security Working Group Issue Tracker (Thursday, 1 November)
ISSUE-28: What specific attacks are prevented by OS screenshots, should this be recommended against generally?
- Hill, Brad (Monday, 5 November)
- Hill, Brad (Monday, 5 November)
- Fred Andrews (Monday, 5 November)
- Web Application Security Working Group Issue Tracker (Thursday, 1 November)
ISSUE-29: What are sane defaults for clipping with clipping or selectors?
- Web Application Security Working Group Issue Tracker (Thursday, 1 November)
ISSUE-30: How to address dynamic application of CSP post page load / partial page load via META or script interface
- Fred Andrews (Monday, 5 November)
- Web Application Security Working Group Issue Tracker (Friday, 2 November)
ISSUE-31: What specification's definition of URL/URI are we using for path parsing in CSP 1.1?
- Web Application Security Working Group Issue Tracker (Friday, 2 November)
ISSUE-32: Do we specify that path-specificity applies only to hierarchical URI schemes?
- Web Application Security Working Group Issue Tracker (Friday, 2 November)
ISSUE-33: Need to address blob, data, filesystem URL types with greater specificity in CSP 1.1 spec
- Web Application Security Working Group Issue Tracker (Friday, 2 November)
ISSUE-34: Discuss use cases / risks of script access to CSP information, solicit specific public comment on this feature with FPWD
- Web Application Security Working Group Issue Tracker (Friday, 2 November)
ISSUE-35: Should we add an "httpOnly" like directive to CSP to indicate that the state of this policy is not available to the script APIs?
- Web Application Security Working Group Issue Tracker (Friday, 2 November)
ISSUE-36: Are we interested in considering script-hash as a CSP 1.1 directive?
- Web Application Security Working Group Issue Tracker (Friday, 2 November)
ISSUE-37: How to apply plugin-types in CSP 1.1 to iframes
- Web Application Security Working Group Issue Tracker (Friday, 2 November)
ISSUE-38: Discuss no-mixed-content further as a 1.1 experimental directive
- Dan Veditz (Saturday, 3 November)
- Dan Veditz (Saturday, 3 November)
- Adam Barth (Friday, 2 November)
- Ian Melven (Friday, 2 November)
- Web Application Security Working Group Issue Tracker (Friday, 2 November)
ISSUE-39: Discuss CSP relevant use cases for possibly including Meta Referrer as a CSP directive
- Web Application Security Working Group Issue Tracker (Friday, 2 November)
Please fix! [Pub request: FPWD of User Interface Safety Directives for CSP]
- Carine Bournez (Tuesday, 20 November)
- Robin Berjon (Tuesday, 20 November)
- Carine Bournez (Tuesday, 20 November)
- Hill, Brad (Tuesday, 20 November)
- Hill, Brad (Monday, 5 November)
- Thomas Roessler (Monday, 5 November)
- Hill, Brad (Monday, 5 November)
- Carine Bournez (Monday, 5 November)
Restricting APIs in CSP
- Ian Melven (Tuesday, 20 November)
- Dan Veditz (Friday, 2 November)
- Eric Rescorla (Friday, 2 November)
RfR: CORS tests - deadline 6 December
- Karl Dubost (Thursday, 22 November)
- Boris Zbarsky (Wednesday, 21 November)
- Odin Hørthe Omdal (Wednesday, 21 November)
Running a few min late
- Hill, Brad (Thursday, 1 November)
Script-nonce policies
- Hill, Brad (Sunday, 4 November)
- Adam Barth (Friday, 2 November)
- Joel Howard Willis Weinberger (Friday, 2 November)
- Adam Barth (Friday, 2 November)
Security model review CSS Masking
- Dirk Schulze (Tuesday, 6 November)
TPAC meeting adjourned
- Hill, Brad (Friday, 2 November)
TPAC schedule clarification
- Hill, Brad (Thursday, 1 November)
Trigger a DOM event/error when a CSP violation happens.
- Mike West (Thursday, 29 November)
- Dan Veditz (Wednesday, 28 November)
- Dan Veditz (Wednesday, 28 November)
- Devdatta Akhawe (Tuesday, 27 November)
- Mike West (Tuesday, 27 November)
- Devdatta Akhawe (Tuesday, 27 November)
- Mike West (Thursday, 22 November)
- Eduardo' Vela (Thursday, 22 November)
- Mike West (Thursday, 22 November)
UI Safety Obstruction check and transforms
- David Lin-Shung Huang (Wednesday, 28 November)
- Fred Andrews (Wednesday, 28 November)
- Mountie Lee (Wednesday, 28 November)
- David Lin-Shung Huang (Wednesday, 28 November)
- Fred Andrews (Wednesday, 21 November)
updated test VM link
- Hill, Brad (Thursday, 1 November)
webappsec-ISSUE-40 (X-XSS-Protection): Look at incorporating X-XSS-Protection functionality into CSP 1.1
- Web Application Security Working Group Issue Tracker (Thursday, 8 November)

public-webappsec@w3.org from November 2012 by subject