Weekly github digest (WebAppSec specs)

Issues
------
* w3c/webappsec-csp (+0/-1/šŸ’¬7)
  2 issues received 7 new comments:
  - #403 CSP domain.com vs domain.com/ with slash (6 by annevk, laukstein, dveditz)
    https://github.com/w3c/webappsec-csp/issues/403 
  - #7 CSP: connect-src 'self' and websockets (1 by Thesephi)
    https://github.com/w3c/webappsec-csp/issues/7 [CSP] 

  1 issues closed:
  - CSP domain.com vs domain.com/ with slash https://github.com/w3c/webappsec-csp/issues/403 

* w3c/webappsec-feature-policy (+0/-3/šŸ’¬8)
  5 issues received 8 new comments:
  - #250 What happened to the webrtc feature? (4 by lgrahl, clelland, Malvoz)
    https://github.com/w3c/webappsec-feature-policy/issues/250 [feature question] 
  - #58 How vibrate will work with Feature Policy given the user gesture requirement? (1 by clelland)
    https://github.com/w3c/webappsec-feature-policy/issues/58 [feature question] 
  - #154 Explicit export/definition for "payment" (1 by clelland)
    https://github.com/w3c/webappsec-feature-policy/issues/154 [feedback] 
  - #230 Need to define how 'src' works with sandboxed frames (1 by clelland)
    https://github.com/w3c/webappsec-feature-policy/issues/230 [definition] 
  - #45 Provide example(s) of enabling disabled-by-default feature(s) (1 by clelland)
    https://github.com/w3c/webappsec-feature-policy/issues/45 [feedback] 

  3 issues closed:
  - Explicit export/definition for "payment" https://github.com/w3c/webappsec-feature-policy/issues/154 [feedback] 
  - How vibrate will work with Feature Policy given the user gesture requirement? https://github.com/w3c/webappsec-feature-policy/issues/58 [feature question] 
  - Provide example(s) of enabling disabled-by-default feature(s) https://github.com/w3c/webappsec-feature-policy/issues/45 [feedback] 

* w3c/webappsec-fetch-metadata (+0/-0/šŸ’¬2)
  1 issues received 2 new comments:
  - #36 Sec-Fetch-Site for service worker update request (2 by arturjanc, makotoshimazu)
    https://github.com/w3c/webappsec-fetch-metadata/issues/36 

* WICG/trusted-types (+1/-3/šŸ’¬8)
  1 issues created:
  - Add a target suitable for nodejs. (by koto)
    https://github.com/WICG/trusted-types/issues/190 [polyfill] 

  5 issues received 8 new comments:
  - #190 Add a target suitable for nodejs. (3 by koto)
    https://github.com/WICG/trusted-types/issues/190 [polyfill] 
  - #117 Should we guard module imports? (2 by mikesamuel)
    https://github.com/WICG/trusted-types/issues/117 [spec] 
  - #64 Bypass via HTMLAnchorElement properties (1 by koto)
    https://github.com/WICG/trusted-types/issues/64 [security] 
  - #139 Handle srcset attributes (1 by koto)
    https://github.com/WICG/trusted-types/issues/139 [spec] 
  - #178 Define rules for TT when multiple headers are present (1 by koto)
    https://github.com/WICG/trusted-types/issues/178 [spec] 

  3 issues closed:
  - Bypass via insertAdjacentText https://github.com/WICG/trusted-types/issues/133 [spec] 
  - Handle srcset attributes https://github.com/WICG/trusted-types/issues/139 [spec] 
  - Clarify interaction between unsafe-eval and TrustedScript. https://github.com/WICG/trusted-types/issues/143 



Pull requests
-------------
* w3c/webappsec-feature-policy (+2/-0/šŸ’¬0)
  2 pull requests submitted:
  - Expose new algorithms to create a Feature Policy before document is cā€¦ (by dtapuska)
    https://github.com/w3c/webappsec-feature-policy/pull/324 
  - Add `display-capture` feature (by Malvoz)
    https://github.com/w3c/webappsec-feature-policy/pull/323 

* WICG/trusted-types (+3/-4/šŸ’¬1)
  3 pull requests submitted:
  - Fix for #133. (by koto)
    https://github.com/WICG/trusted-types/pull/189 
  - Fix the poisoned proto in tests. (by koto)
    https://github.com/WICG/trusted-types/pull/188 
  - Bugfix: Call the IE range hack on install(). (by koto)
    https://github.com/WICG/trusted-types/pull/187 

  1 pull requests received 1 new comments:
  - #140 enforcement for `<img srcset>` (1 by koto)
    https://github.com/WICG/trusted-types/pull/140 

  4 pull requests merged:
  - Protect text node manipulation under script elements. Fixes #133.
    https://github.com/WICG/trusted-types/pull/189 
  - Fix the poisoned proto in tests.
    https://github.com/WICG/trusted-types/pull/188 
  - Bugfix: Call the IE range hack on install().
    https://github.com/WICG/trusted-types/pull/187 
  - Rewrote CSP & EcmaScript integration
    https://github.com/WICG/trusted-types/pull/170 


Repositories tracked by this digest:
-----------------------------------
* https://github.com/w3c/webappsec
* https://github.com/w3c/webappsec-subresource-integrity
* https://github.com/w3c/webappsec-csp
* https://github.com/w3c/webappsec-mixed-content
* https://github.com/w3c/webappsec-upgrade-insecure-requests
* https://github.com/w3c/webappsec-credential-management
* https://github.com/w3c/permissions
* https://github.com/w3c/webappsec-referrer-policy
* https://github.com/w3c/webappsec-secure-contexts
* https://github.com/w3c/webappsec-clear-site-data
* https://github.com/w3c/webappsec-cowl
* https://github.com/w3c/webappsec-epr
* https://github.com/w3c/webappsec-suborigins
* https://github.com/w3c/webappsec-cspee
* https://github.com/w3c/webappsec-feature-policy
* https://github.com/w3c/webappsec-fetch-metadata
* https://github.com/WICG/trusted-types

Received on Monday, 15 July 2019 17:00:15 UTC