Weekly github digest (WebAppSec specs) from W3C Webmaster via GitHub API on 2018-10-29 (public-webappsec@w3.org from October 2018)

From: W3C Webmaster via GitHub API <sysbot+gh@w3.org>
Date: Mon, 29 Oct 2018 17:00:14 +0000
To: public-webappsec@w3.org
Message-Id: <E1gHAti-0002Dn-3e@uranus.w3.org>
Issues
------
* w3c/webappsec (+1/-0/💬1)
  1 issues created:
  - Report Iframe nesting level instead of using frame-ancestors directive (by moonyowl)
    https://github.com/w3c/webappsec/issues/537 

  1 issues received 1 new comments:
  - #537 Report Iframe nesting level instead of using frame-ancestors directive (1 by annevk)
    https://github.com/w3c/webappsec/issues/537 

* w3c/webappsec-csp (+0/-2/💬41)
  4 issues received 41 new comments:
  - #8 CSP: form-action and redirects (32 by Changaco, ptoomey3, annevk, andypaicu, iquito, ThrawnCA)
    https://github.com/w3c/webappsec-csp/issues/8 [CSP] 
  - #320 CSP violation report should not use redirect-mode: "error" (5 by annevk, yutakahirano)
    https://github.com/w3c/webappsec-csp/issues/320 
  - #212 Inline style bits are very unclear (3 by andypaicu, bzbarsky)
    https://github.com/w3c/webappsec-csp/issues/212 
  - #161 Specify browser behavior for CSP headers on 304 (not modified) responses (1 by andypaicu)
    https://github.com/w3c/webappsec-csp/issues/161 

  2 issues closed:
  - Specify browser behavior for CSP headers on 304 (not modified) responses https://github.com/w3c/webappsec-csp/issues/161 
  - Add a note about 'strict-dynamic' allowing injections into non-parser-inserted script URIs to be exploitable https://github.com/w3c/webappsec-csp/issues/97 

* w3c/webappsec-credential-management (+1/-0/💬5)
  1 issues created:
  - create-a-cred and request-a-cred ought to return only a cred or error (by equalsJeffH)
    https://github.com/w3c/webappsec-credential-management/issues/129 

  2 issues received 5 new comments:
  - #128 copy (aka snapshot) any buffersources in options before going async (4 by jcjones, equalsJeffH, annevk)
    https://github.com/w3c/webappsec-credential-management/issues/128 
  - #129 create-a-cred and request-a-cred ought to return only a cred or error (1 by equalsJeffH)
    https://github.com/w3c/webappsec-credential-management/issues/129 

* w3c/webappsec-referrer-policy (+0/-1/💬7)
  4 issues received 7 new comments:
  - #74 noreferrer isn't integrated with <link> (3 by jeisinger, domenic)
    https://github.com/w3c/webappsec-referrer-policy/issues/74 
  - #111 Should JavaScript module imports respect referrer policy, and if so, how? (2 by domfarolino, domenic)
    https://github.com/w3c/webappsec-referrer-policy/issues/111 
  - #115 Redesign of "extract header list values" expected (1 by mikewest)
    https://github.com/w3c/webappsec-referrer-policy/issues/115 
  - #108 Referrer policy of referencing in SVG? (1 by jeisinger)
    https://github.com/w3c/webappsec-referrer-policy/issues/108 

  1 issues closed:
  - noreferrer isn't integrated with <link> https://github.com/w3c/webappsec-referrer-policy/issues/74 

* w3c/webappsec-clear-site-data (+2/-0/💬6)
  2 issues created:
  - Clear Cache API caches (by inexorabletash)
    https://github.com/w3c/webappsec-clear-site-data/issues/53 
  - Define the behavior for third-party cookie blocking. (by mikewest)
    https://github.com/w3c/webappsec-clear-site-data/issues/52 

  3 issues received 6 new comments:
  - #23 Rename "executionContexts" (3 by annevk, mikewest, domenic)
    https://github.com/w3c/webappsec-clear-site-data/issues/23 
  - #52 Define the behavior for third-party cookie blocking. (2 by ericlaw1979, msramek)
    https://github.com/w3c/webappsec-clear-site-data/issues/52 
  - #53 Clear Cache API caches (1 by inexorabletash)
    https://github.com/w3c/webappsec-clear-site-data/issues/53 

* w3c/webappsec-cspee (+1/-0/💬1)
  1 issues created:
  - Sites should be able to specify a default required CSP (by michael-oneill)
    https://github.com/w3c/webappsec-cspee/issues/8 

  1 issues received 1 new comments:
  - #8 Sites should be able to specify a default required CSP (1 by michael-oneill)
    https://github.com/w3c/webappsec-cspee/issues/8 



Pull requests
-------------
* w3c/webappsec-csp (+2/-1/💬4)
  2 pull requests submitted:
  - Added a note about fetch redirects being covered (by andypaicu)
    https://github.com/w3c/webappsec-csp/pull/359 
  - Inherit source browsing context's CSP instead of parent/opener (by andypaicu)
    https://github.com/w3c/webappsec-csp/pull/358 

  3 pull requests received 4 new comments:
  - #358 Inherit source browsing context's CSP instead of parent/opener (2 by andypaicu)
    https://github.com/w3c/webappsec-csp/pull/358 
  - #356 Added more notes about nonce attacks (1 by arturjanc)
    https://github.com/w3c/webappsec-csp/pull/356 
  - #357 Added note in 'strict-dynamic' section to alert developers around potential avenues of attack (1 by arturjanc)
    https://github.com/w3c/webappsec-csp/pull/357 

  1 pull requests merged:
  - Added note in 'strict-dynamic' section to alert developers around potential avenues of attack
    https://github.com/w3c/webappsec-csp/pull/357 

* w3c/webappsec-credential-management (+1/-0/💬1)
  1 pull requests submitted:
  - fix issue #128 copy buffer sources (by equalsJeffH)
    https://github.com/w3c/webappsec-credential-management/pull/130 

  1 pull requests received 1 new comments:
  - #100 issue 92 accessing settings object: add passing global and queue task invoke callback (1 by mikewest)
    https://github.com/w3c/webappsec-credential-management/pull/100 

* w3c/webappsec-referrer-policy (+1/-1/💬0)
  1 pull requests submitted:
  - rel="noreferrer" is not supported for <link> elements (by jeisinger)
    https://github.com/w3c/webappsec-referrer-policy/pull/117 

  1 pull requests merged:
  - rel="noreferrer" is not supported for <link> elements
    https://github.com/w3c/webappsec-referrer-policy/pull/117 


Repositories tracked by this digest:
-----------------------------------
* https://github.com/w3c/webappsec
* https://github.com/w3c/webappsec-subresource-integrity
* https://github.com/w3c/webappsec-csp
* https://github.com/w3c/webappsec-mixed-content
* https://github.com/w3c/webappsec-upgrade-insecure-requests
* https://github.com/w3c/webappsec-credential-management
* https://github.com/w3c/permissions
* https://github.com/w3c/webappsec-referrer-policy
* https://github.com/w3c/webappsec-secure-contexts
* https://github.com/w3c/webappsec-clear-site-data
* https://github.com/w3c/webappsec-cowl
* https://github.com/w3c/webappsec-epr
* https://github.com/w3c/webappsec-suborigins
* https://github.com/w3c/webappsec-cspee
Received on Monday, 29 October 2018 17:00:15 UTC