Weekly github digest (WebAppSec specs) from W3C Webmaster via GitHub API on 2018-10-22 (public-webappsec@w3.org from October 2018)

From: W3C Webmaster via GitHub API <sysbot+gh@w3.org>
Date: Mon, 22 Oct 2018 17:00:09 +0000
To: public-webappsec@w3.org
Message-Id: <E1gEdYn-00086E-PY@uranus.w3.org>
Issues
------
* w3c/webappsec-csp (+0/-7/💬14)
  10 issues received 14 new comments:
  - #277 Allow CSP-Report-Only in meta tags. (4 by annevk, mikewest, dveditz)
    https://github.com/w3c/webappsec-csp/issues/277 
  - #348 Allow report-to in CSP and CSPRO meta tags (2 by ScottHelme, dveditz)
    https://github.com/w3c/webappsec-csp/issues/348 
  - #131 Embedded Enforcement: Invalid required csp attribute on iframe (1 by mikewest)
    https://github.com/w3c/webappsec-csp/issues/131 [EMBEDDED] 
  - #225 Embedded: make clear that servers MUST respond with a CSP or Allow-CSP-From header, <meta> CSP's are not allowed. (1 by mikewest)
    https://github.com/w3c/webappsec-csp/issues/225 [EMBEDDED] 
  - #44 Clarify what is the threat model for embedded enforcement (1 by mikewest)
    https://github.com/w3c/webappsec-csp/issues/44 [EMBEDDED] 
  - #49 Embedded: consider other contexts other than iframe (1 by mikewest)
    https://github.com/w3c/webappsec-csp/issues/49 [EMBEDDED] 
  - #115 Embedding-CSP header (1 by mikewest)
    https://github.com/w3c/webappsec-csp/issues/115 [CSP] [EMBEDDED] 
  - #92 WebRTC RTCDataChannel can be used for exfiltration (1 by lgrahl)
    https://github.com/w3c/webappsec-csp/issues/92 
  - #126 Embedded: Think about the implications of allowing injected `csp` with reporting. (1 by mikewest)
    https://github.com/w3c/webappsec-csp/issues/126 [EMBEDDED] 
  - #351 How is CSPEE recursive? (1 by mikewest)
    https://github.com/w3c/webappsec-csp/issues/351 

  7 issues closed:
  - Embedded: Think about the implications of allowing injected `csp` with reporting. https://github.com/w3c/webappsec-csp/issues/126 [EMBEDDED] 
  - Embedded Enforcement: Invalid required csp attribute on iframe https://github.com/w3c/webappsec-csp/issues/131 [EMBEDDED] 
  - Clarify what is the threat model for embedded enforcement https://github.com/w3c/webappsec-csp/issues/44 [EMBEDDED] 
  - Embedded: consider other contexts other than iframe https://github.com/w3c/webappsec-csp/issues/49 [EMBEDDED] 
  - Embedding-CSP header https://github.com/w3c/webappsec-csp/issues/115 [CSP] [EMBEDDED] 
  - Embedded: make clear that servers MUST respond with a CSP or Allow-CSP->From header, <meta> CSP's are not allowed. https://github.com/w3c/webappsec-csp/issues/225 [EMBEDDED] 
  - How is CSPEE recursive? https://github.com/w3c/webappsec-csp/issues/351 

* w3c/webappsec-credential-management (+0/-0/💬2)
  1 issues received 2 new comments:
  - #128 copy (aka snapshot) any buffersources in options before going async (2 by jcjones, mikewest)
    https://github.com/w3c/webappsec-credential-management/issues/128 

* w3c/permissions (+1/-2/💬2)
  1 issues created:
  - Allow Feature Policy-based permission models (by jan-ivar)
    https://github.com/w3c/permissions/issues/185 

  1 issues received 2 new comments:
  - #185 Allow Feature Policy-based permission models (2 by raymeskhoury, jan-ivar)
    https://github.com/w3c/permissions/issues/185 

  2 issues closed:
  - Allow Feature Policy-based permission models https://github.com/w3c/permissions/issues/185 
  - A new permission for screen-sharing with getDisplayMedia() https://github.com/w3c/permissions/issues/182 

* w3c/webappsec-referrer-policy (+1/-3/💬5)
  1 issues created:
  - How referrer policy deal with iframe srcdoc ? (by zxyxx)
    https://github.com/w3c/webappsec-referrer-policy/issues/116 

  5 issues received 5 new comments:
  - #112 add back "none" as legacy keyword (1 by mikewest)
    https://github.com/w3c/webappsec-referrer-policy/issues/112 
  - #116 How referrer policy deal with iframe srcdoc ? (1 by mikewest)
    https://github.com/w3c/webappsec-referrer-policy/issues/116 
  - #82 "TLS-protected" link seems not very useful (1 by mikewest)
    https://github.com/w3c/webappsec-referrer-policy/issues/82 
  - #108 Referrer policy of referencing in SVG? (1 by mikewest)
    https://github.com/w3c/webappsec-referrer-policy/issues/108 
  - #111 Should JavaScript module imports respect referrer policy, and if so, how? (1 by mikewest)
    https://github.com/w3c/webappsec-referrer-policy/issues/111 

  3 issues closed:
  - noreferrer isn't integrated with <link> https://github.com/w3c/webappsec-referrer-policy/issues/74 
  - "TLS-protected" link seems not very useful https://github.com/w3c/webappsec-referrer-policy/issues/82 
  - add back "none" as legacy keyword https://github.com/w3c/webappsec-referrer-policy/issues/112 

* w3c/webappsec-cspee (+7/-0/💬22)
  7 issues created:
  - Embedded: Think about the implications of allowing injected `csp` with reporting. (by mikewest)
    https://github.com/w3c/webappsec-cspee/issues/7 
  - Embedded Enforcement: Invalid required csp attribute on iframe (by mikewest)
    https://github.com/w3c/webappsec-cspee/issues/6 
  - Clarify what is the threat model for embedded enforcement (by mikewest)
    https://github.com/w3c/webappsec-cspee/issues/5 
  - Embedded: consider other contexts other than iframe (by mikewest)
    https://github.com/w3c/webappsec-cspee/issues/4 
  - Embedding-CSP header (by mikewest)
    https://github.com/w3c/webappsec-cspee/issues/3 
  - Embedded: make clear that servers MUST respond with a CSP or Allow-CSP->From header, <meta> CSP's are not allowed. (by mikewest)
    https://github.com/w3c/webappsec-cspee/issues/2 
  - How is CSPEE recursive? (by mikewest)
    https://github.com/w3c/webappsec-cspee/issues/1 

  4 issues received 22 new comments:
  - #3 Embedding-CSP header (11 by mikewest)
    https://github.com/w3c/webappsec-cspee/issues/3 [CSP] [EMBEDDED] 
  - #1 How is CSPEE recursive? (6 by mikewest)
    https://github.com/w3c/webappsec-cspee/issues/1 
  - #4 Embedded: consider other contexts other than iframe (3 by mikewest)
    https://github.com/w3c/webappsec-cspee/issues/4 [EMBEDDED] 
  - #2 Embedded: make clear that servers MUST respond with a CSP or Allow-CSP-From header, <meta> CSP's are not allowed. (2 by mikewest)
    https://github.com/w3c/webappsec-cspee/issues/2 [EMBEDDED] 



Pull requests
-------------
* w3c/webappsec-csp (+4/-1/💬3)
  4 pull requests submitted:
  - Added note in 'strict-dynamic' section to alert developers around potential avenues of attack (by andypaicu)
    https://github.com/w3c/webappsec-csp/pull/357 
  - Added more notes about nonce attacks (by andypaicu)
    https://github.com/w3c/webappsec-csp/pull/356 
  - Fixed various bikeshed linking warnings and removed embedded from mak… (by andypaicu)
    https://github.com/w3c/webappsec-csp/pull/355 
  - Fixed various bikeshed linking warnings and removed embedded from mak… (by andypaicu)
    https://github.com/w3c/webappsec-csp/pull/354 

  2 pull requests received 3 new comments:
  - #353 Changed names of some SPV event members (2 by andypaicu)
    https://github.com/w3c/webappsec-csp/pull/353 
  - #354 Fixed various bikeshed linking warnings and removed embedded from mak… (1 by andypaicu)
    https://github.com/w3c/webappsec-csp/pull/354 

  1 pull requests merged:
  - Fixed various bikeshed linking warnings and removed embedded from mak…
    https://github.com/w3c/webappsec-csp/pull/355 

* w3c/webappsec-credential-management (+0/-0/💬1)
  1 pull requests received 1 new comments:
  - #100 issue 92 accessing settings object: add passing global and queue task invoke callback (1 by equalsJeffH)
    https://github.com/w3c/webappsec-credential-management/pull/100 

* w3c/permissions (+0/-1/💬2)
  1 pull requests received 2 new comments:
  - #184 Add 'display' permission for screen-capture. (2 by mounirlamouri, jan-ivar)
    https://github.com/w3c/permissions/pull/184 

  1 pull requests merged:
  - Add 'display' permission for screen-capture.
    https://github.com/w3c/permissions/pull/184 


Repositories tracked by this digest:
-----------------------------------
* https://github.com/w3c/webappsec
* https://github.com/w3c/webappsec-subresource-integrity
* https://github.com/w3c/webappsec-csp
* https://github.com/w3c/webappsec-mixed-content
* https://github.com/w3c/webappsec-upgrade-insecure-requests
* https://github.com/w3c/webappsec-credential-management
* https://github.com/w3c/permissions
* https://github.com/w3c/webappsec-referrer-policy
* https://github.com/w3c/webappsec-secure-contexts
* https://github.com/w3c/webappsec-clear-site-data
* https://github.com/w3c/webappsec-cowl
* https://github.com/w3c/webappsec-epr
* https://github.com/w3c/webappsec-suborigins
* https://github.com/w3c/webappsec-cspee
Received on Monday, 22 October 2018 17:00:13 UTC