Weekly github digest (WebAppSec specs)

Issues
------
* w3c/webappsec (+0/-0/💬1)
  1 issues received 1 new comments:
  - #555 TPAC 2019 Agenda. (1 by wjmaclean)
    https://github.com/w3c/webappsec/issues/555 

* w3c/webappsec-csp (+0/-0/💬1)
  1 issues received 1 new comments:
  - #7 CSP: connect-src 'self' and websockets (1 by ratiofu)
    https://github.com/w3c/webappsec-csp/issues/7 [CSP] 

* w3c/webappsec-feature-policy (+0/-0/💬2)
  1 issues received 2 new comments:
  - #273 Prevent programmatic focus in iframe (2 by ehsan-karamad, clelland)
    https://github.com/w3c/webappsec-feature-policy/issues/273 [proposed feature] 

* w3c/webappsec-fetch-metadata (+0/-2/💬6)
  5 issues received 6 new comments:
  - #34 Treat http://foo.com -> https://foo.com requests as `Sec-Fetch-Site: cross-site`. (2 by annevk, mikewest)
    https://github.com/w3c/webappsec-fetch-metadata/issues/34 
  - #36 Sec-Fetch-Site for service worker update request (1 by mikewest)
    https://github.com/w3c/webappsec-fetch-metadata/issues/36 
  - #37 Handling iframing via <embed> / <object> (1 by arturjanc)
    https://github.com/w3c/webappsec-fetch-metadata/issues/37 
  - #30 Behavior for payment manifests (1 by mikewest)
    https://github.com/w3c/webappsec-fetch-metadata/issues/30 
  - #39 Sending `Sec-Fetch-Site: none` after redirects from directly user-initiated requests (1 by arturjanc)
    https://github.com/w3c/webappsec-fetch-metadata/issues/39 

  2 issues closed:
  - Sec-Fetch-Site for service worker update request https://github.com/w3c/webappsec-fetch-metadata/issues/36 
  - Behavior for payment manifests https://github.com/w3c/webappsec-fetch-metadata/issues/30 

* WICG/trusted-types (+0/-2/💬2)
  2 issues received 2 new comments:
  - #176 Putting guards at primitives instead of sinks (1 by koto)
    https://github.com/WICG/trusted-types/issues/176 [spec] 
  - #104 Why is there no type for style / CSS? (1 by koto)
    https://github.com/WICG/trusted-types/issues/104 [spec] 

  2 issues closed:
  - Support a truly report-only and debuggable default policy https://github.com/WICG/trusted-types/issues/209 
  - Bypass via HTMLAnchorElement properties https://github.com/WICG/trusted-types/issues/64 [security] 



Pull requests
-------------
* w3c/webappsec-feature-policy (+0/-1/💬2)
  2 pull requests received 2 new comments:
  - #306 add webauthn as proposed feature (FP issue #168) (1 by equalsJeffH)
    https://github.com/w3c/webappsec-feature-policy/pull/306 
  - #338 webauthn => publickey-credentials (1 by clelland)
    https://github.com/w3c/webappsec-feature-policy/pull/338 

  1 pull requests merged:
  - webauthn => publickey-credentials
    https://github.com/w3c/webappsec-feature-policy/pull/338 

* WICG/trusted-types (+2/-2/💬0)
  2 pull requests submitted:
  - Fix #209. (by koto)
    https://github.com/WICG/trusted-types/pull/212 
  - First attempt at fixing #176. (by koto)
    https://github.com/WICG/trusted-types/pull/211 

  2 pull requests merged:
  - Fix #209.
    https://github.com/WICG/trusted-types/pull/212 
  - Replace TrustedURL with calling a default policy on navigation to javascript: URLs.
    https://github.com/WICG/trusted-types/pull/204 


Repositories tracked by this digest:
-----------------------------------
* https://github.com/w3c/webappsec
* https://github.com/w3c/webappsec-subresource-integrity
* https://github.com/w3c/webappsec-csp
* https://github.com/w3c/webappsec-mixed-content
* https://github.com/w3c/webappsec-upgrade-insecure-requests
* https://github.com/w3c/webappsec-credential-management
* https://github.com/w3c/permissions
* https://github.com/w3c/webappsec-referrer-policy
* https://github.com/w3c/webappsec-secure-contexts
* https://github.com/w3c/webappsec-clear-site-data
* https://github.com/w3c/webappsec-cowl
* https://github.com/w3c/webappsec-epr
* https://github.com/w3c/webappsec-suborigins
* https://github.com/w3c/webappsec-cspee
* https://github.com/w3c/webappsec-feature-policy
* https://github.com/w3c/webappsec-fetch-metadata
* https://github.com/WICG/trusted-types