Weekly github digest (WebAppSec specs)

Issues
------
* w3c/webappsec-csp (+3/-3/💬5)
  3 issues created:
  - Fetch rewrites ws/wss URLs, but browsers still report them in CSP (by annevk)
    https://github.com/w3c/webappsec-csp/issues/532 
  - Fix a bug in the example of Strict CSP (by shhnjk)
    https://github.com/w3c/webappsec-csp/issues/530 
  - Add Strict CSP in Authoring Considerations (by shhnjk)
    https://github.com/w3c/webappsec-csp/issues/528 

  2 issues received 5 new comments:
  - #532 Fetch rewrites ws/wss URLs, but browsers still report them in CSP (3 by ArthurSonzogni, Rob--W, annevk)
    https://github.com/w3c/webappsec-csp/issues/532 
  - #489 Specify sanitizing algorithm of blockedURL, documentURL, sourceFile beyond fragment exclusion (2 by ArthurSonzogni, Rob--W)
    https://github.com/w3c/webappsec-csp/issues/489 

  3 issues closed:
  - Specify sanitizing algorithm of blockedURL, documentURL, sourceFile beyond fragment exclusion https://github.com/w3c/webappsec-csp/issues/489 
  - Fix a typo in the example of Strict CSP https://github.com/w3c/webappsec-csp/issues/530 
  - Add Strict CSP in Authoring Considerations https://github.com/w3c/webappsec-csp/issues/528 

* w3c/webappsec-credential-management (+0/-2/💬5)
  5 issues received 5 new comments:
  - #136 add feature policy support for webauthn (1 by equalsJeffH)
    https://github.com/w3c/webappsec-credential-management/issues/136 [enhancement] 
  - #135 feature policy for the various credential types: per-credential?  all-included? (1 by equalsJeffH)
    https://github.com/w3c/webappsec-credential-management/issues/135 [enhancement] 
  - #116 "sameOriginWithAncestors is unused" ?  should s/unused/false/ ? (1 by equalsJeffH)
    https://github.com/w3c/webappsec-credential-management/issues/116 
  - #113 allow credential-type specs to declare top-level-only or not (1 by equalsJeffH)
    https://github.com/w3c/webappsec-credential-management/issues/113 
  - #92 accessing settings object from in-parallel steps? (1 by equalsJeffH)
    https://github.com/w3c/webappsec-credential-management/issues/92 

  2 issues closed:
  - add feature policy support for webauthn https://github.com/w3c/webappsec-credential-management/issues/136 [enhancement] 
  - allow credential-type specs to declare top-level-only or not https://github.com/w3c/webappsec-credential-management/issues/113 

* w3c/permissions (+7/-3/💬16)
  7 issues created:
  - "xr-spatial-tracking", (by miketaylr)
    https://github.com/w3c/permissions/issues/330 
  - "persistent-storage", (by miketaylr)
    https://github.com/w3c/permissions/issues/329 
  - "nfc", (by miketaylr)
    https://github.com/w3c/permissions/issues/328 
  - "magnetometer", (by miketaylr)
    https://github.com/w3c/permissions/issues/326 
  - Ensure "camera" & "microphone" are defined in their parent spec (by miketaylr)
    https://github.com/w3c/permissions/issues/323 
  - "screen-capture" (by miketaylr)
    https://github.com/w3c/permissions/issues/322 
  - "gyroscope", (by miketaylr)
    https://github.com/w3c/permissions/issues/321 

  10 issues received 16 new comments:
  - #330 Ensure "xr-spatial-tracking" is integrated into parent spec (2 by marcoscaceres, miketaylr)
    https://github.com/w3c/permissions/issues/330 
  - #329 "persistent-storage", (1 by miketaylr)
    https://github.com/w3c/permissions/issues/329 
  - #328 Ensure "nfc" is integrated into parent spec (1 by miketaylr)
    https://github.com/w3c/permissions/issues/328 
  - #326 Ensure "magnetometer" is integrated into parent spec (1 by miketaylr)
    https://github.com/w3c/permissions/issues/326 
  - #323 Ensure "camera" & "microphone" are defined in their parent spec (1 by miketaylr)
    https://github.com/w3c/permissions/issues/323 
  - #322 Ensure "display-capture" is integrated into Screen Capture API spec (3 by miketaylr)
    https://github.com/w3c/permissions/issues/322 
  - #321 Ensure "gyroscope" is integrated into Gyroscope API (3 by miketaylr, rakuco)
    https://github.com/w3c/permissions/issues/321 
  - #315 Can we drop the allowed in non-secure contexts flag? (1 by miketaylr)
    https://github.com/w3c/permissions/issues/315 
  - #296 Ensure "accelerometer" is integrated into parent spec (2 by marcoscaceres, miketaylr)
    https://github.com/w3c/permissions/issues/296 
  - #291 Ensure "notifications" permission is properly integrated into parent spec (1 by miketaylr)
    https://github.com/w3c/permissions/issues/291 

  3 issues closed:
  - Ensure "xr-spatial-tracking" is integrated into parent spec https://github.com/w3c/permissions/issues/330 
  - Can we drop the allowed in non-secure contexts flag? https://github.com/w3c/permissions/issues/315 
  - Ensure "notifications" permission is properly integrated into parent spec https://github.com/w3c/permissions/issues/291 

* w3c/webappsec-permissions-policy (+0/-0/💬1)
  1 issues received 1 new comments:
  - #189 Proposal: define default for all (1 by theherk)
    https://github.com/w3c/webappsec-permissions-policy/issues/189 [feature question] 

* w3c/webappsec-fetch-metadata (+1/-0/💬5)
  1 issues created:
  - Fetch-Metadata to indicate when the browser is in a partitioned context (by DCtheTall)
    https://github.com/w3c/webappsec-fetch-metadata/issues/80 

  1 issues received 5 new comments:
  - #80 Fetch-Metadata to indicate when the browser is in a partitioned context (5 by annevk, krgovind, mikewest)
    https://github.com/w3c/webappsec-fetch-metadata/issues/80 



Pull requests
-------------
* w3c/webappsec (+1/-1/💬0)
  1 pull requests submitted:
  - Update 2021-11-16-agenda.md (by shhnjk)
    https://github.com/w3c/webappsec/pull/606 

  1 pull requests merged:
  - Update 2021-11-16-agenda.md
    https://github.com/w3c/webappsec/pull/606 

* w3c/webappsec-csp (+4/-3/💬31)
  4 pull requests submitted:
  - Add ['wss', 'ws'] in "Strip URLs for use in reports" allow-list. (by ArthurSonzogni)
    https://github.com/w3c/webappsec-csp/pull/533 
  - Fix a bug in the example of Strict CSP (by shhnjk)
    https://github.com/w3c/webappsec-csp/pull/531 
  - Define Strict CSP in the Authoring Considerations section. (by shhnjk)
    https://github.com/w3c/webappsec-csp/pull/529 
  - Introduce "Strip URL for use in reports". (by ArthurSonzogni)
    https://github.com/w3c/webappsec-csp/pull/527 

  5 pull requests received 31 new comments:
  - #533 Add ['wss', 'ws'] in "Strip URLs for use in reports" allow-list. (4 by ArthurSonzogni, annevk)
    https://github.com/w3c/webappsec-csp/pull/533 
  - #529 Define Strict CSP in the Authoring Considerations section. (2 by lweichselbaum, shhnjk)
    https://github.com/w3c/webappsec-csp/pull/529 
  - #527 Introduce "Strip URL for use in reports". (19 by ArthurSonzogni, Rob--W, annevk, mikewest)
    https://github.com/w3c/webappsec-csp/pull/527 
  - #526 Remove calleeRealm from EnsureCSPDoesNotBlockWasmByteCompilation (2 by annevk, fgmccabe)
    https://github.com/w3c/webappsec-csp/pull/526 
  - #293 Minimal specification of 'wasm-unsafe-eval' source directive (4 by boompig, fgmccabe, ostap0207)
    https://github.com/w3c/webappsec-csp/pull/293 

  3 pull requests merged:
  - Introduce "Strip URL for use in reports".
    https://github.com/w3c/webappsec-csp/pull/527 
  - Fix a typo in the example of Strict CSP
    https://github.com/w3c/webappsec-csp/pull/531 
  - Define Strict CSP in the Authoring Considerations section.
    https://github.com/w3c/webappsec-csp/pull/529 

* w3c/webappsec-credential-management (+1/-1/💬0)
  1 pull requests submitted:
  - Add Nina Satragno as editor (by equalsJeffH)
    https://github.com/w3c/webappsec-credential-management/pull/178 [editorial] 

  1 pull requests merged:
  - Add Nina Satragno as editor
    https://github.com/w3c/webappsec-credential-management/pull/178 [editorial] 

* w3c/permissions (+4/-3/💬2)
  4 pull requests submitted:
  - Editorial: link <a>express permission</a> inside <a>request permission to use</a>. (by miketaylr)
    https://github.com/w3c/permissions/pull/331 
  - Remove the allowed in non-secure contexts flag (by miketaylr)
    https://github.com/w3c/permissions/pull/327 
  - Editorial: Add 'getting the current permission state' steps (by marcoscaceres)
    https://github.com/w3c/permissions/pull/325 
  - Editorial: Relocate "bluetooth", "camera", "microphone", "notifications", "speaker-selection". (by miketaylr)
    https://github.com/w3c/permissions/pull/324 

  2 pull requests received 2 new comments:
  - #327 Remove the allowed in non-secure contexts flag (1 by marcoscaceres)
    https://github.com/w3c/permissions/pull/327 
  - #324 Editorial: Relocate "bluetooth", "camera", "microphone", "notifications", "speaker-selection". (1 by miketaylr)
    https://github.com/w3c/permissions/pull/324 

  3 pull requests merged:
  - Remove the allowed in non-secure contexts flag
    https://github.com/w3c/permissions/pull/327 
  - Editorial: Add 'getting the current permission state' steps
    https://github.com/w3c/permissions/pull/325 
  - Editorial: Relocate "camera", "microphone", "notifications", "speaker-selection".
    https://github.com/w3c/permissions/pull/324 

* w3c/webappsec-fetch-metadata (+1/-0/💬2)
  1 pull requests submitted:
  - Add `nested-navigate` to list of valid `Sec-Fetch-Mode` values (by 0xedward)
    https://github.com/w3c/webappsec-fetch-metadata/pull/81 

  1 pull requests received 2 new comments:
  - #81 Add `nested-navigate` to list of valid `Sec-Fetch-Mode` values (2 by 0xedward, annevk)
    https://github.com/w3c/webappsec-fetch-metadata/pull/81 

* w3c/webappsec-trusted-types (+0/-1/💬0)
  1 pull requests merged:
  - Spec draft for fromLiteral method. See #347.
    https://github.com/w3c/webappsec-trusted-types/pull/350 


Repositories tracked by this digest:
-----------------------------------
* https://github.com/w3c/webappsec
* https://github.com/w3c/webappsec-subresource-integrity
* https://github.com/w3c/webappsec-csp
* https://github.com/w3c/webappsec-mixed-content
* https://github.com/w3c/webappsec-upgrade-insecure-requests
* https://github.com/w3c/webappsec-credential-management
* https://github.com/w3c/permissions
* https://github.com/w3c/webappsec-referrer-policy
* https://github.com/w3c/webappsec-secure-contexts
* https://github.com/w3c/webappsec-clear-site-data
* https://github.com/w3c/webappsec-cowl
* https://github.com/w3c/webappsec-epr
* https://github.com/w3c/webappsec-suborigins
* https://github.com/w3c/webappsec-cspee
* https://github.com/w3c/webappsec-permissions-policy
* https://github.com/w3c/webappsec-fetch-metadata
* https://github.com/w3c/webappsec-trusted-types
* https://github.com/w3c/webappsec-change-password-url
* https://github.com/w3c/webappsec-post-spectre-webdev


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 22 November 2021 17:00:46 UTC