- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Wed, 15 Feb 2017 08:38:21 -0800
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CADYDTCBF8PHjzofs2JTQAczk+vCPTZSTQvnVr1yYTPbOxgCD7w@mail.gmail.com>
Here are a few highlights of recent WebAppSec activity you may have missed: Referrer Policy transitioned to CR on January 26; call for exclusions ends March 27. We received charter feedback that our milestones looked unrealistic, and resistance to adding Isolated Origins until we reduce the number of current specs we're juggling. New Referrer-Policy issue #94 requests an 'origin-when-downgrade' option. Credential Management issue #58 references a hidden Chrome bug about XSS attacks on passwords and suggests adding a non-normative section containing "additional security measures to be used in combination with CM API to provide the best protection against XSS attacks on passwords." No proposed text, presumably waiting until the Chrome bug is unhidden? Credential Management issue 56 wants to add a way to delete credentials when a login attempt fails so a site doesn't keep annoying the user with automatic but failed login attempts. Following up to Artur's discussion on the call last month about risks when using nonce with CSP, issue #177 proposes a warning about the risks of injected base-uri when using nonces. -Dan Veditz
Received on Wednesday, 15 February 2017 16:39:16 UTC