public-webappsec@w3.org from October 2013 by subject

'referrer' directive strawman.

• Anne van Kesteren (Tuesday, 22 October)
• Mike West (Monday, 21 October)

[Bug 23653] New: Advice on CORS and caches

• bugzilla@jessica.w3.org (Monday, 28 October)

[Bug 23654] New: Point out that Access-Control-Allow-Origin:* is safe for servers not behind a firewall

• bugzilla@jessica.w3.org (Monday, 28 October)

[CORS] Clarifying the term "user credentials"

• Monsur Hossain (Friday, 11 October)
• Austin William Wright (Friday, 11 October)

[webappsec] Agenda for 8-Oct-2013 Teleconference

• Brad Hill (Tuesday, 8 October)

[webappsec] Handling unsafe UI events

• David Lin-Shung Huang (Tuesday, 15 October)
• Brad Hill (Monday, 14 October)

[webappsec] ISSUE-53: UISecurity input-protection heuristic for composited rendering

• Giorgio Maone (Saturday, 26 October)
• Robert O'Callahan (Friday, 25 October)
• Giorgio Maone (Tuesday, 22 October)
• Giorgio Maone (Wednesday, 16 October)
• Brad Hill (Tuesday, 15 October)
• David Lin-Shung Huang (Tuesday, 15 October)
• Brad Hill (Monday, 14 October)
• Brad Hill (Monday, 14 October)
• David Lin-Shung Huang (Friday, 11 October)
• Brad Hill (Thursday, 10 October)

[webappsec] new editor's draft of UISecurity

• Brad Hill (Friday, 18 October)

[webappsec] New SVG examples for UISecurity obstruction check

• Brad Hill (Wednesday, 30 October)

[webappsec] POLL: Getting CSP 1.1 to LCWD

• Garrett Robinson (Tuesday, 8 October)
• Glenn Adams (Saturday, 5 October)
• Bjoern Hoehrmann (Saturday, 5 October)
• Glenn Adams (Saturday, 5 October)
• Bjoern Hoehrmann (Saturday, 5 October)
• Brad Hill (Friday, 4 October)
• Glenn Adams (Friday, 4 October)
• Garrett Robinson (Friday, 4 October)
• Glenn Adams (Friday, 4 October)
• Daniel Veditz (Friday, 4 October)
• Carson, Cory (Friday, 4 October)
• Glenn Adams (Thursday, 3 October)
• Daniel Veditz (Thursday, 3 October)
• Glenn Adams (Thursday, 3 October)
• Brad Hill (Thursday, 3 October)
• Glenn Adams (Wednesday, 2 October)
• Glenn Adams (Wednesday, 2 October)
• Daniel Veditz (Wednesday, 2 October)
• Daniel Veditz (Wednesday, 2 October)
• Glenn Adams (Tuesday, 1 October)
• Brad Hill (Tuesday, 1 October)
• Glenn Adams (Tuesday, 1 October)
• Glenn Adams (Tuesday, 1 October)
• Daniel Veditz (Tuesday, 1 October)
• Glenn Adams (Tuesday, 1 October)
• Glenn Adams (Tuesday, 1 October)
• Brad Hill (Tuesday, 1 October)
• Carson, Cory (Tuesday, 1 October)
• Glenn Adams (Tuesday, 1 October)
• Glenn Adams (Tuesday, 1 October)
• Daniel Veditz (Tuesday, 1 October)
• Carson, Cory (Tuesday, 1 October)
• Glenn Adams (Tuesday, 1 October)
• Brad Hill (Tuesday, 1 October)
• Glenn Adams (Tuesday, 1 October)
• Glenn Adams (Tuesday, 1 October)

[webappsec] Reminder: please send your preferences

• Neil Matatall (Tuesday, 22 October)
• Nottingham, Mark (Tuesday, 8 October)
• Daniel Veditz (Tuesday, 8 October)
• Neil Matatall (Tuesday, 8 October)
• Carson, Cory (Monday, 7 October)
• Nottingham, Mark (Monday, 7 October)
• Mike West (Monday, 7 October)
• Odin Hørthe Omdal (Friday, 4 October)
• Brad Hill (Friday, 4 October)

[webappsec] UISecurity input protection: same origin or same document?

• Brad Hill (Thursday, 31 October)
• Anne van Kesteren (Thursday, 31 October)
• Brad Hill (Thursday, 31 October)

[Workers] CSP and SharedWorkers

• David Bruant (Tuesday, 1 October)

Actual Poll vote (was: Reminder: please send your preferences (was: POLL: Getting CSP 1.1 to LCWD))

• =JeffH (Friday, 4 October)

Actual vote and regrets (was Re: [webappsec] POLL: Getting CSP 1.1 to LCWD)

• Giorgio Maone (Saturday, 5 October)

Agenda for October 22, 2013 Teleconference

• Eric Rescorla (Tuesday, 22 October)

Are CSP directives case insensitive?

• John Wong (Monday, 28 October)

Behavior when default-src is missing from a CSP

• Daniel Veditz (Thursday, 10 October)
• Mike West (Thursday, 10 October)
• Neil Matatall (Wednesday, 9 October)
• Neil Matatall (Wednesday, 9 October)

Content-Security-Policy: referrer always

• Anne van Kesteren (Wednesday, 23 October)
• Tom Sepez (Tuesday, 22 October)

CSP and cookie header management

• Anne van Kesteren (Wednesday, 23 October)

CSP script hashes, inline and src'd

• Joel Weinberger (Tuesday, 22 October)
• Tanvi Vyas (Monday, 21 October)
• Ian Melven (Monday, 21 October)
• Brad Hill (Monday, 21 October)
• Neil Matatall (Monday, 21 October)
• Mike West (Monday, 21 October)
• Trevor Perrin (Monday, 21 October)
• Yoav Weiss (Saturday, 19 October)
• Garrett Robinson (Saturday, 19 October)
• Garrett Robinson (Saturday, 19 October)
• Neil Matatall (Saturday, 19 October)
• Glenn Adams (Saturday, 19 October)
• Joel Weinberger (Friday, 18 October)

ERRATA CORRIGE Actual vote and regrets (was Re: [webappsec] POLL: Getting CSP 1.1 to LCWD)

• Giorgio Maone (Saturday, 5 October)

FYI: RFC 7034 on HTTP Header Field X-Frame-Options

• Tobias Gondrom (Monday, 14 October)

proposal: move frame-options directive out of UI safety spec into CSP 1.1

• Ian Melven (Monday, 21 October)
• Mike West (Monday, 21 October)
• Mike West (Monday, 21 October)
• Ian Melven (Tuesday, 8 October)
• Daniel Veditz (Tuesday, 8 October)

Reminder: Recharter out for review through Oct. 21

• Wendy Seltzer (Tuesday, 15 October)

RFC 7034 on HTTP Header Field X-Frame-Options

• Hill, Brad (Monday, 14 October)

Scripts from Strings: Where is the line?

• Frederik Braun (Saturday, 5 October)

Updated script hash proposal (non spec text)

• Neil Matatall (Monday, 21 October)
• Devdatta Akhawe (Sunday, 20 October)

webappsec-ISSUE-55 (input-protection and seamless iframes): How to handle seamless flag for input-protection policies? [UI Security]

• Web Application Security Working Group Issue Tracker (Thursday, 31 October)

Last message date: Thursday, 31 October 2013 18:19:42 UTC