from January 2015 by subject

[blink-dev] Proposal: Marking HTTP As Non-Secure

[blink-dev] Re: Proposal: Marking HTTP As Non-Secure

[Bug 27744] New: Should define the term 'subresource'

[Bug 27745] New: Should define the term 'integrity'

[Bug 27746] New: Integrity of image content

[Bug 27747] New: Integrity of font content

[Bug 27748] New: Value of @integrity attribute not sufficiently prescriptive

[CORS] Implementation Report links in CORS REC return errors

[CSP2] Browser Support

[CSP3] 404 error from

[CSP3] Allow paths without a domain

[CSP3] Allow plugin-types "none"

[CSP] <meta> clarifications

[CSP] Accepting base64-url

[CSP] Clarifications on nonces

[CSP] Clarifications regarding the HTTP LINK Header

[CSP] CSP3: Request for comments on message-src and message-sink

[CSP] Dynamic CSP

[CSP] Geotargetting?

[CSP] How to interpret 'self' in a sandboxed iframe

[CSP] Problems with frame-ancestors; X-Frame-Options not obsolete?

[CSP] Relative/absolute hostname matching

[CSP] URI/IRI normalization and comparison

[CSP] violation reports for sandbox

[Integrity] typos with ni URIs

[MIX] HSTS, SW and mixed-content

[MIX] PF comments on Mixed Content - accessible indication and user controls

[MIX] Require HTTPS scripts to be able to anything HTTP scripts can do.

[REFERRER] Combination of referrer directive values

[SRI] format of the integrity attribute

[SRI] Getting sha-384 and sha-512 added to the RFC6920 registry?

[SRI] Include sha-384 in the spec?

[SRI] providing good defaults when the expected content type is missing?

[SRI] Reserving the "authority" component of NI URIs for later use?

[SRI] Suggesting Francois Marier (Mozilla) as editor

[SRI] unsupported hashes and invalid metadata

[webappsec] Teleconference Agenda, 12-Jan-2015 12:00 PST

Accessibility of security indicators

Adding window.opener control to referrer-policy?

Avoiding syncronous manifest requests in EPR

Cancelling next week's call?

CfC: Transition CSP2 to CR.

Comments on Mixed Content

CREDENTIAL: And now for something completely different...

CSP unsafe-eval alternative for a 'trusted' or 'eval-src: self'?

CSP Versions in Violation Reports

CSP3: DOM API Strawman

CSP: Drop IP-matching? (was Re: [CSP] URI/IRI normalization and comparison)

optimistic HTTP → HTTPS [was: Re: Require HTTPS scripts to be able to anything HTTP scripts can do.]

Plugin data (was Re: Comments on Mixed Content)

postMessage, workers and sandboxing

POWER: Combining document and settings object checks.

Proposal: A pinning mechanism for CSP?

Security use cases for packaging

Service workers and CSP

Strict mixed content checking (was Re: MIX: Exiting last call?)

webappsec-ACTION-209: Ask open data/linked data groups for info on data publishing for use in secure context

webappsec-ACTION-210: Move sri bugs in bugzilla to github

webappsec-ACTION-211: Ask github if they prefer fail open / closed on unknown hashes

Last message date: Saturday, 31 January 2015 04:10:26 UTC