public-webappsec@w3.org from February 2013 by subject

[Bug 21012] New: Add more text on Vary

[Bug 21013] New: Credentials and HTTP authentication

[CORS] list max-age as algorithm parameter

[CORS] typos

[webappsec] Agenda for 12-Feb-2013 WebAppSec Teleconference

[webappsec] Handling custom elements in CSP

[webappsec] March 12 teleconference CANCELLED due to conflict with IETF

[webappsec] minutes available

[webappsec] UI Security, allow-from values

[webappsec] WG satisfaction survey

Action-92: Propose spec text to resolve ISSUE-32

Agenda for Feb 26 Call

Blank blocked-uris

Call for Exclusions (Update): User Interface Safety Directives for Content Security Policy

CORS: Requirement for HTTP 200 response on preflight is not web-compatible and doesn't seem to be interoperably implemented

CSP and inline styles

CSP script hashes

Do we need Connectors between javascript and security software at personal device?

Feedback on UI Safety draft

FTC v HTC America

Help needed (or not?) (was ISSUE-27: Implementation concern on how to enforce display-time : should we provide more advice on how to do this efficiently?)

ISSUE-32: Do we specify that path-specificity applies only to hierarchical URI schemes?

ISSUE-38: Discuss no-mixed-content directive

ISSUE-44: Same-origin policy identity query via script-hash. issue is you do a third party inline script with a known script-hash. if it succeeds, you know that the target was as expected, even though you can't read it

No scheme in policy: Errors for either scheme

Proposal for script-hash directive in CSP 1.1

Restricting <base> URLS via CSP

W3C account

webappsec-ISSUE-42 (CSS Nonce): Script-nonce allows inline script, similar treatment for inline css?

webappsec-ISSUE-43 (Custom Elements in CSP 1.1): How are custom elements handled in CSP 1.1? [CSP 1.1]

Why no fragment part in CSP-report document-uri?

Last message date: Thursday, 28 February 2013 21:19:02 UTC