W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2019

Weekly github digest (WebAppSec specs)

From: W3C Webmaster via GitHub API <sysbot+gh@w3.org>
Date: Mon, 18 Nov 2019 17:00:17 +0000
To: public-webappsec@w3.org
Message-Id: <E1iWkNt-0004LM-7n@uranus.w3.org>



Issues
------
* w3c/webappsec (+0/-0/💬1)
  1 issues received 1 new comments:
  - #520 Clarify CSP header recommendations for non-HTML pages (1 by Malvoz)
    https://github.com/w3c/webappsec/issues/520 

* w3c/webappsec-subresource-integrity (+0/-1/💬2)
  1 issues received 2 new comments:
  - #26 Extend SRI to apply to <link rel=preload> (2 by annevk, littledan)
    https://github.com/w3c/webappsec-subresource-integrity/issues/26 [feature-request] 

  1 issues closed:
  - Extend SRI to apply to <link rel=preload> https://github.com/w3c/webappsec-subresource-integrity/issues/26 [feature-request] 

* w3c/webappsec-feature-policy (+1/-0/💬9)
  1 issues created:
  - Disable DOM clobbering. (by mikewest)
    https://github.com/w3c/webappsec-feature-policy/issues/349 

  2 issues received 9 new comments:
  - #349 Disable DOM clobbering. (8 by annevk, bzbarsky, koto, terjanq)
    https://github.com/w3c/webappsec-feature-policy/issues/349 
  - #193 Feature Policy: lazyload (1 by domfarolino)
    https://github.com/w3c/webappsec-feature-policy/issues/193 [proposed feature] 

* w3c/webappsec-fetch-metadata (+0/-0/💬2)
  1 issues received 2 new comments:
  - #16 Is `Sec-Fetch-Dest` necessary? (2 by Jack-Works, Malvoz)
    https://github.com/w3c/webappsec-fetch-metadata/issues/16 

* WICG/trusted-types (+4/-1/💬7)
  4 issues created:
  - Ascertain in-realm documents are indeed covered in the spec (by koto)
    https://github.com/w3c/webappsec-trusted-types/issues/242 
  - Allow future extensions to the API without breaking compatibility (by koto)
    https://github.com/w3c/webappsec-trusted-types/issues/241 
  - getAttributeType is wrong about namespaces (by annevk)
    https://github.com/w3c/webappsec-trusted-types/issues/240 
  - Possible trustedTypes bypass when assigning to script.innerHTML (by securityMB)
    https://github.com/w3c/webappsec-trusted-types/issues/238 

  5 issues received 7 new comments:
  - #241 Allow future extensions to the API without breaking compatibility (2 by koto, otherdaniel)
    https://github.com/w3c/webappsec-trusted-types/issues/241 
  - #238 Possible trustedTypes bypass when assigning to script.innerHTML (1 by koto)
    https://github.com/w3c/webappsec-trusted-types/issues/238 
  - #235 Consider removing getPolicyNames() (2 by koto, xtofian)
    https://github.com/w3c/webappsec-trusted-types/issues/235 
  - #222 How does this work when you have a dependency included twice? (1 by koto)
    https://github.com/w3c/webappsec-trusted-types/issues/222 
  - #221 Figure out if we need `'trusted-script'` in `script-src` (1 by mikewest)
    https://github.com/w3c/webappsec-trusted-types/issues/221 

  1 issues closed:
  - Figure out if we need `'trusted-script'` in `script-src` https://github.com/w3c/webappsec-trusted-types/issues/221 



Pull requests
-------------
* w3c/webappsec-csp (+1/-0/💬2)
  1 pull requests submitted:
  - Typo fix (by Malvoz)
    https://github.com/w3c/webappsec-csp/pull/413 

  1 pull requests received 2 new comments:
  - #413 Typo fix (2 by Malvoz)
    https://github.com/w3c/webappsec-csp/pull/413 

* w3c/permissions (+0/-0/💬2)
  2 pull requests received 2 new comments:
  - #202 Add periodic-background-sync enum and description. (1 by mugdhalakhani)
    https://github.com/w3c/permissions/pull/202 
  - #196 Direct Connection Permission (1 by alvestrand)
    https://github.com/w3c/permissions/pull/196 

* WICG/trusted-types (+2/-2/💬0)
  2 pull requests submitted:
  - Fix #221. (by koto)
    https://github.com/w3c/webappsec-trusted-types/pull/239 
  - Restricting characters that can be used in policy names (by koto)
    https://github.com/w3c/webappsec-trusted-types/pull/237 

  2 pull requests merged:
  - Fix #221.
    https://github.com/w3c/webappsec-trusted-types/pull/239 
  - Restricting characters that can be used in policy names
    https://github.com/w3c/webappsec-trusted-types/pull/237 


Repositories tracked by this digest:
-----------------------------------
* https://github.com/w3c/webappsec
* https://github.com/w3c/webappsec-subresource-integrity
* https://github.com/w3c/webappsec-csp
* https://github.com/w3c/webappsec-mixed-content
* https://github.com/w3c/webappsec-upgrade-insecure-requests
* https://github.com/w3c/webappsec-credential-management
* https://github.com/w3c/permissions
* https://github.com/w3c/webappsec-referrer-policy
* https://github.com/w3c/webappsec-secure-contexts
* https://github.com/w3c/webappsec-clear-site-data
* https://github.com/w3c/webappsec-cowl
* https://github.com/w3c/webappsec-epr
* https://github.com/w3c/webappsec-suborigins
* https://github.com/w3c/webappsec-cspee
* https://github.com/w3c/webappsec-feature-policy
* https://github.com/w3c/webappsec-fetch-metadata
* https://github.com/WICG/trusted-types
* https://github.com/w3c/webappsec-unofficial-drafts
Received on Monday, 18 November 2019 17:00:19 UTC

This archive was generated by hypermail 2.3.1 : Monday, 18 November 2019 17:00:19 UTC