from November 2012 by subject

[Bug 19920] New: Don't allow space-separated origins in the syntax

[webappsec] ACTION REQUIRED: Call for Consensus on new WebAppSec WG Charter

[webappsec] Agenda for Teleconference of Nov 20, 2012

[webappsec] Call for Consensus: CSP 1.1 to FPWD

[webappsec] call for reportURIs DOM API use cases

[webappsec] New draft charter for discussion

[webappsec] PLEASE RESPOND: poll for new teleconference time

[webappsec] Reminder, today's call is CANCELLED

[webappsec] Remote participation in IETF websec meeting

[webappsec] subsume X-XSS-Protection into CSP 1.1?

[webappsec] Teleconference Poll: time unchanged

[webappsec] TPAC chatlog cleanup

[webappsec] updated draft SVG: simple CORS request

[websec] Call for Consensus: CORS to Candidate Recommendation

A11y for Web App Sec Anti clickjacking spec

Batching CSP violation reports.

Call for Consensus: CORS to Candidate Recommendation

Call for Exclusions: User Interface Safety Directives for Content Security Policy

CORS test status

CSP and inline styles

CSP, style-src, and what it means to ignore style attributes

how to protect javascript codes

ISSUE-20: If browsers apply this heuristic without an explicit opt-in policy, should we always block and not have the unsafe UIEvent property

ISSUE-21: Do assistive technologies send real events or synthetic events?

ISSUE-22: Are there cases of synthetic UIEvents where it would be useful to set the unsafe attribute even if the policy is block (so event is not delivered)

ISSUE-23: Are there cases of synthetic UIEvents where it would be useful to set the unsafe attribute even if the policy is block so event is not delivered

ISSUE-24: ();

ISSUE-25: Do frame-options directives (or other UISafety directives) make sense in a meta tag context?

ISSUE-26: Does the sandbox directive make sense in a meta tag context?

ISSUE-27: Implementation concern on how to enforce display-time : should we provide more advice on how to do this efficiently?

ISSUE-28: What specific attacks are prevented by OS screenshots, should this be recommended against generally?

ISSUE-29: What are sane defaults for clipping with clipping or selectors?

ISSUE-30: How to address dynamic application of CSP post page load / partial page load via META or script interface

ISSUE-31: What specification's definition of URL/URI are we using for path parsing in CSP 1.1?

ISSUE-32: Do we specify that path-specificity applies only to hierarchical URI schemes?

ISSUE-33: Need to address blob, data, filesystem URL types with greater specificity in CSP 1.1 spec

ISSUE-34: Discuss use cases / risks of script access to CSP information, solicit specific public comment on this feature with FPWD

ISSUE-35: Should we add an "httpOnly" like directive to CSP to indicate that the state of this policy is not available to the script APIs?

ISSUE-36: Are we interested in considering script-hash as a CSP 1.1 directive?

ISSUE-37: How to apply plugin-types in CSP 1.1 to iframes

ISSUE-38: Discuss no-mixed-content further as a 1.1 experimental directive

ISSUE-39: Discuss CSP relevant use cases for possibly including Meta Referrer as a CSP directive

Please fix! [Pub request: FPWD of User Interface Safety Directives for CSP]

Restricting APIs in CSP

RfR: CORS tests - deadline 6 December

Running a few min late

Script-nonce policies

Security model review CSS Masking

TPAC meeting adjourned

TPAC schedule clarification

Trigger a DOM event/error when a CSP violation happens.

UI Safety Obstruction check and transforms

updated test VM link

webappsec-ISSUE-40 (X-XSS-Protection): Look at incorporating X-XSS-Protection functionality into CSP 1.1

Last message date: Thursday, 29 November 2012 20:17:59 UTC