- From: Mike West <notifications@github.com>
- Date: Mon, 07 Oct 2024 21:43:01 -0700
- To: whatwg/webidl <webidl@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 8 October 2024 04:43:05 UTC
Thanks for your feedback! @shhnjk: I think this is what the proposal in https://github.com/w3c/webappsec-csp/pull/665 would address? If we landed that, we'd change the rules here accordingly. @domenic: I agree with you that the bar for injection mitigation is lower than the unfortunately very difficult deployment story for cross-origin isolation in the status quo. As @RByers notes, collecting metrics is certainly a reasonable approach: https://mitigation.supply/#csp has whole-tab metrics showing strict CSP on ~25% and Trusted Type enforcement on ~12% of page views. I can dig through HTTP Archive to try to estimate the breadth (as my assumption is that a substantial portion of the numbers above are Google-owned frames). -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/webidl/issues/1440#issuecomment-2398821690 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/webidl/issues/1440/2398821690@github.com>
Received on Tuesday, 8 October 2024 04:43:05 UTC