W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2020

Weekly github digest (WebAppSec specs)

From: W3C Webmaster via GitHub API <sysbot+gh@w3.org>
Date: Mon, 09 Mar 2020 17:00:21 +0000
To: public-webappsec@w3.org
Message-Id: <E1jBLlN-00013O-PU@uranus.w3.org>



Issues
------
* w3c/webappsec-referrer-policy (+0/-0/💬11)
  1 issues received 11 new comments:
  - #123 Inconsistencies with "same-origin" requests (11 by annevk, bzbarsky, domenic, domfarolino)
    https://github.com/w3c/webappsec-referrer-policy/issues/123 

* WICG/trusted-types (+0/-15/💬26)
  17 issues received 26 new comments:
  - #260 Document.write and such as names are misleading (5 by annevk, domenic, koto)
    https://github.com/w3c/webappsec-trusted-types/issues/260 [spec] 
  - #259 Restrict to secure contexts (1 by otherdaniel)
    https://github.com/w3c/webappsec-trusted-types/issues/259 [spec] 
  - #258 Consider allowing creating a policy via a constructor. (6 by koto, mikewest, otherdaniel, othermaciej)
    https://github.com/w3c/webappsec-trusted-types/issues/258 [spec] 
  - #257 Use of [Unforgeable] in Trusted Types WebIDL (1 by koto)
    https://github.com/w3c/webappsec-trusted-types/issues/257 [spec] 
  - #252 Set slot values when called directly by the parser (1 by koto)
    https://github.com/w3c/webappsec-trusted-types/issues/252 [spec] 
  - #248 Alternative Options for Default Policy. (1 by koto)
    https://github.com/w3c/webappsec-trusted-types/issues/248 [spec] 
  - #238 Possible trustedTypes bypass when assigning to script.innerHTML (1 by koto)
    https://github.com/w3c/webappsec-trusted-types/issues/238 
  - #235 Consider removing getPolicyNames() (1 by koto)
    https://github.com/w3c/webappsec-trusted-types/issues/235 [spec] 
  - #234 Navigating to plugins (1 by koto)
    https://github.com/w3c/webappsec-trusted-types/issues/234 [spec] 
  - #232 Handle non-DOM APIs of loading scripts comprehensively. (1 by koto)
    https://github.com/w3c/webappsec-trusted-types/issues/232 [punted] [spec] 
  - #207 Finalize the integrations that guard eval & Function.constructor (1 by koto)
    https://github.com/w3c/webappsec-trusted-types/issues/207 [tc39] 
  - #190 Add a target suitable for nodejs. (1 by koto)
    https://github.com/w3c/webappsec-trusted-types/issues/190 [polyfill] 
  - #176 Putting guards at primitives instead of sinks (1 by koto)
    https://github.com/w3c/webappsec-trusted-types/issues/176 [spec] 
  - #169 Cover missing sinks (1 by koto)
    https://github.com/w3c/webappsec-trusted-types/issues/169 [polyfill] [spec] 
  - #117 Allow guarding (dynamic) module imports - a type for module specifiers (1 by koto)
    https://github.com/w3c/webappsec-trusted-types/issues/117 [spec] [tc39] 
  - #96 Facilitate creating trusted types from string literals (1 by koto)
    https://github.com/w3c/webappsec-trusted-types/issues/96 [tc39] 
  - #2 `TreatNullAs` behavior for `innerHTML`, et al. is unclear. (1 by mikewest)
    https://github.com/w3c/webappsec-trusted-types/issues/2 [polyfill] [spec] 

  15 issues closed:
  - Navigating to plugins https://github.com/w3c/webappsec-trusted-types/issues/234 [spec] 
  - Putting guards at primitives instead of sinks https://github.com/w3c/webappsec-trusted-types/issues/176 [spec] 
  - `TreatNullAs` behavior for `innerHTML`, et al. is unclear. https://github.com/w3c/webappsec-trusted-types/issues/2 [polyfill] [spec] 
  - Consider removing getPolicyNames() https://github.com/w3c/webappsec-trusted-types/issues/235 [spec] 
  - Consider allowing creating a policy via a constructor. https://github.com/w3c/webappsec-trusted-types/issues/258 [spec] 
  - Document.write and such as names are misleading https://github.com/w3c/webappsec-trusted-types/issues/260 [spec] 
  - Use of [Unforgeable] in Trusted Types WebIDL https://github.com/w3c/webappsec-trusted-types/issues/257 [spec] 
  - Alternative Options for Default Policy. https://github.com/w3c/webappsec-trusted-types/issues/248 [spec] 
  - Cover missing sinks https://github.com/w3c/webappsec-trusted-types/issues/169 [polyfill] [spec] 
  - Allow guarding (dynamic) module imports - a type for module specifiers https://github.com/w3c/webappsec-trusted-types/issues/117 [spec] [tc39] 
  - "require-trusted-types-for Pre-Navigation check" versus "Get Trusted Type compliant string" https://github.com/w3c/webappsec-trusted-types/issues/246 
  - Possible trustedTypes bypass when assigning to script.innerHTML https://github.com/w3c/webappsec-trusted-types/issues/238 
  - Facilitate creating trusted types from string literals https://github.com/w3c/webappsec-trusted-types/issues/96 [tc39] 
  - Polyfilling HostEnsureCanCompileStrings https://github.com/w3c/webappsec-trusted-types/issues/120 [polyfill] 
  - Clarify in spec - JS 'this' in policy.createXXX() https://github.com/w3c/webappsec-trusted-types/issues/78 [security] 



Pull requests
-------------
* WICG/trusted-types (+6/-5/💬0)
  6 pull requests submitted:
  - Added [SecureContext] to new interfaces. (by koto)
    https://github.com/w3c/webappsec-trusted-types/pull/266 
  - Added security consideration section about navigating plugins (by koto)
    https://github.com/w3c/webappsec-trusted-types/pull/265 
  - Removing `getPolicyNames`. (by koto)
    https://github.com/w3c/webappsec-trusted-types/pull/264 
  - Fix #260. (by koto)
    https://github.com/w3c/webappsec-trusted-types/pull/263 
  - Fix #257 (by koto)
    https://github.com/w3c/webappsec-trusted-types/pull/262 
  - Always use the constructor name instead of Element local names. (by koto)
    https://github.com/w3c/webappsec-trusted-types/pull/261 

  5 pull requests merged:
  - Added security consideration section about navigating plugins
    https://github.com/w3c/webappsec-trusted-types/pull/265 
  - Removing `getPolicyNames`.
    https://github.com/w3c/webappsec-trusted-types/pull/264 
  - Fix #260.
    https://github.com/w3c/webappsec-trusted-types/pull/263 
  - Fix #257
    https://github.com/w3c/webappsec-trusted-types/pull/262 
  - Always use the constructor name instead of Element local names.
    https://github.com/w3c/webappsec-trusted-types/pull/261 


Repositories tracked by this digest:
-----------------------------------
* https://github.com/w3c/webappsec
* https://github.com/w3c/webappsec-subresource-integrity
* https://github.com/w3c/webappsec-csp
* https://github.com/w3c/webappsec-mixed-content
* https://github.com/w3c/webappsec-upgrade-insecure-requests
* https://github.com/w3c/webappsec-credential-management
* https://github.com/w3c/permissions
* https://github.com/w3c/webappsec-referrer-policy
* https://github.com/w3c/webappsec-secure-contexts
* https://github.com/w3c/webappsec-clear-site-data
* https://github.com/w3c/webappsec-cowl
* https://github.com/w3c/webappsec-epr
* https://github.com/w3c/webappsec-suborigins
* https://github.com/w3c/webappsec-cspee
* https://github.com/w3c/webappsec-feature-policy
* https://github.com/w3c/webappsec-fetch-metadata
* https://github.com/WICG/trusted-types
* https://github.com/w3c/webappsec-unofficial-drafts
Received on Monday, 9 March 2020 17:00:29 UTC

This archive was generated by hypermail 2.4.0 : Monday, 9 March 2020 17:00:29 UTC