W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2017

Summary of recent conversations for WebAppSec

From: Daniel Veditz <dveditz@mozilla.com>
Date: Wed, 15 Feb 2017 08:38:21 -0800
Message-ID: <CADYDTCBF8PHjzofs2JTQAczk+vCPTZSTQvnVr1yYTPbOxgCD7w@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Here are a few highlights of recent WebAppSec activity you may have missed:

Referrer Policy transitioned to CR on January 26; call for exclusions ends
March 27.

We received charter feedback that our milestones looked unrealistic, and
resistance to adding Isolated Origins until we reduce the number of current
specs we're juggling.

New Referrer-Policy issue #94 requests an 'origin-when-downgrade' option.

Credential Management issue #58 references a hidden Chrome bug about XSS
attacks on passwords and suggests adding a non-normative section containing
"additional security measures to be used in combination with CM API to
provide the best protection against XSS attacks on passwords." No proposed
text, presumably waiting until the Chrome bug is unhidden?

Credential Management issue 56 wants to add a way to delete credentials
when a login attempt fails so a site doesn't keep annoying the user with
automatic but failed login attempts.

Following up to Artur's discussion on the call last month about risks when
using nonce with CSP, issue #177 proposes a warning about the risks of
injected base-uri when using nonces.

-Dan Veditz
Received on Wednesday, 15 February 2017 16:39:16 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:22 UTC