Weekly github digest (WebAppSec specs) from W3C Webmaster via GitHub API on 2024-01-22 (public-webappsec@w3.org from January 2024)

From: W3C Webmaster via GitHub API <sysbot+gh@w3.org>
Date: Mon, 22 Jan 2024 17:00:33 +0000
To: public-webappsec@w3.org
Message-Id: <E1rRxez-00CKZs-IQ@uranus.w3.org>
Issues
------
* w3c/webappsec-csp (+1/-0/💬4)
  1 issues created:
  - `service-worker-src` directive (by bakkot)
    https://github.com/w3c/webappsec-csp/issues/638 

  2 issues received 4 new comments:
  - #634 Chrome/Safari trim nonces (1 by evilpie)
    https://github.com/w3c/webappsec-csp/issues/634 
  - #633 Resource hint blocking / "least restrictive" as specified does nothing? (3 by antosart, noamr)
    https://github.com/w3c/webappsec-csp/issues/633 

* w3c/permissions (+1/-0/💬1)
  1 issues created:
  - WebDriver: Should Set Permission apply to future browsing contexts? (by OrKoN)
    https://github.com/w3c/permissions/issues/437 

  1 issues received 1 new comments:
  - #419 WebDriver: Make it possible to pass a different origin to "Set Permission" (1 by miketaylr)
    https://github.com/w3c/permissions/issues/419 

* w3c/webappsec-permissions-policy (+1/-1/💬0)
  1 issues created:
  - methiyaowala (by Usermsn)
    https://github.com/w3c/webappsec-permissions-policy/issues/535 

  1 issues closed:
  - methiyaowala https://github.com/w3c/webappsec-permissions-policy/issues/535 

* w3c/webappsec-trusted-types (+0/-14/💬68)
  18 issues received 68 new comments:
  - #401 Is the `[[ScriptURL]]` slot needed? (1 by koto)
    https://github.com/w3c/trusted-types/issues/401 [proposed-removal] 
  - #399 Is there agreement in the HTML-spec community that no new injection sinks will be added? (1 by lukewarlow)
    https://github.com/w3c/trusted-types/issues/399 
  - #398 Defer `fromLiteral`? (22 by Sora2455, caridy, koto, lukewarlow, mbrodesser-Igalia)
    https://github.com/w3c/trusted-types/issues/398 [proposed-removal] 
  - #397 Defer integration with Dynamic Code Brand Checks? (1 by lukewarlow)
    https://github.com/w3c/trusted-types/issues/397 
  - #393 Incorrect assertion within Example 18 (2 by koto, lukewarlow)
    https://github.com/w3c/trusted-types/issues/393 
  - #386 Are `TrustedTypePolicy`'s `create*` methods intentionally not `readonly`? (5 by mbrodesser-Igalia, smaug----)
    https://github.com/w3c/trusted-types/issues/386 
  - #385 Are all injection sinks covered by the spec? (9 by annevk, lukewarlow, mbrodesser-Igalia)
    https://github.com/w3c/trusted-types/issues/385 
  - #384 Are `getAttributeType` and `getPropertyType` methods neccessary? (1 by lukewarlow)
    https://github.com/w3c/trusted-types/issues/384 
  - #380 TrustedTypes bypass using iframes (1 by koto)
    https://github.com/w3c/trusted-types/issues/380 
  - #379 should `null` & `undefined` for sinks requiring TT be a passthrough ? (2 by koto, lukewarlow)
    https://github.com/w3c/trusted-types/issues/379 
  - #360 Can we conditionally enforce Trusted Types based on document response type in XHR? (3 by annevk, koto)
    https://github.com/w3c/trusted-types/issues/360 [spec] [security] 
  - #359 Maybe enforce Trusted Types in XSL's xsl:text (1 by annevk)
    https://github.com/w3c/trusted-types/issues/359 
  - #357 Add SVG <use> href attribute to Trusted Types enforcement (4 by koto, mozfreddyb, shhnjk)
    https://github.com/w3c/trusted-types/issues/357 
  - #342 CfC to publish as an FPWD. (1 by lukewarlow)
    https://github.com/w3c/trusted-types/issues/342 
  - #305 Maybe remove plugin enforcement from Trusted Types? (4 by annevk, koto)
    https://github.com/w3c/trusted-types/issues/305 [future] 
  - #288 Consider enforcing TT for custom attributes. (1 by koto)
    https://github.com/w3c/trusted-types/issues/288 [future] 
  - #223 Handle innerHTML of svg in IE (1 by lukewarlow)
    https://github.com/w3c/trusted-types/issues/223 [polyfill] 
  - #207 Finalize the integrations that guard eval & Function.constructor (8 by koto, lukewarlow, mbrodesser-Igalia)
    https://github.com/w3c/trusted-types/issues/207 [tc39] 

  14 issues closed:
  - TrustedTypes bypass using iframes https://github.com/w3c/trusted-types/issues/380 
  - Consider enforcing TT for custom attributes. https://github.com/w3c/trusted-types/issues/288 [future] 
  - Consider adding a type for base.href https://github.com/w3c/trusted-types/issues/172 [polyfill] [spec] [future] 
  - Expose information on status of TrustedTypes enforcement https://github.com/w3c/trusted-types/issues/36 [spec] [future] 
  - Maybe remove plugin enforcement from Trusted Types? https://github.com/w3c/trusted-types/issues/305 [future] 
  - 'Create a Trusted Type' algorithm returns error value in step 6  https://github.com/w3c/trusted-types/issues/382 
  - Incorrect assertion within Example 18 https://github.com/w3c/trusted-types/issues/393 
  - Add SVG <use> href attribute to Trusted Types enforcement https://github.com/w3c/trusted-types/issues/357 
  - Are `TrustedTypePolicy`'s `create*` methods intentionally not `readonly`? https://github.com/w3c/trusted-types/issues/386 
  - Missing integration with new unsafe HTML parsing methods https://github.com/w3c/trusted-types/issues/403 
  - Should `require-trusted-types-for` support trusted scripts and trusted script URLs? https://github.com/w3c/trusted-types/issues/383 
  - Defer integration with Dynamic Code Brand Checks? https://github.com/w3c/trusted-types/issues/397 
  - Handle innerHTML of svg in IE https://github.com/w3c/trusted-types/issues/223 [polyfill] 
  - CfC to publish as an FPWD. https://github.com/w3c/trusted-types/issues/342 



Pull requests
-------------
* w3c/webappsec (+1/-1/💬0)
  1 pull requests submitted:
  - Comments from PING on charter 2024 (by plehegar)
    https://github.com/w3c/webappsec/pull/640 

  1 pull requests merged:
  - Comments from PING on charter 2024
    https://github.com/w3c/webappsec/pull/640 

* w3c/webappsec-csp (+1/-0/💬0)
  1 pull requests submitted:
  - Resource hint: check directives explicitly (by noamr)
    https://github.com/w3c/webappsec-csp/pull/637 

* w3c/permissions (+0/-1/💬1)
  1 pull requests received 1 new comments:
  - #436 Require an explicit origin for WebDriver BiDi automation (1 by miketaylr)
    https://github.com/w3c/permissions/pull/436 

  1 pull requests merged:
  - Require an explicit origin for WebDriver BiDi automation
    https://github.com/w3c/permissions/pull/436 

* w3c/webappsec-trusted-types (+6/-6/💬7)
  6 pull requests submitted:
  - Changed incorrect error mention in Create a Trusted Type algorithm. (by koto)
    https://github.com/w3c/trusted-types/pull/410 
  - Added a comment about fromLiteral. (by koto)
    https://github.com/w3c/trusted-types/pull/409 
  - Add goal for transitioning websites to save states (by mbrodesser-Igalia)
    https://github.com/w3c/trusted-types/pull/408 
  - Merged HTML parsing sinks with DOM XSS sinks. (by koto)
    https://github.com/w3c/trusted-types/pull/407 
  - Add integration with setHTMLUnsafe and parseHTMLUnsafe (by lukewarlow)
    https://github.com/w3c/trusted-types/pull/406 
  - Remove `fromLiteral` from spec. (by lukewarlow)
    https://github.com/w3c/trusted-types/pull/405 

  4 pull requests received 7 new comments:
  - #407 Merged HTML parsing sinks with DOM XSS sinks. (1 by koto)
    https://github.com/w3c/trusted-types/pull/407 
  - #406 Add integration with setHTMLUnsafe and parseHTMLUnsafe (3 by lukewarlow, mbrodesser-Igalia)
    https://github.com/w3c/trusted-types/pull/406 
  - #405 Remove `fromLiteral` from spec. (2 by lukewarlow)
    https://github.com/w3c/trusted-types/pull/405 
  - #377 Add detail about fromLiteral to explainer. (1 by lukewarlow)
    https://github.com/w3c/trusted-types/pull/377 

  6 pull requests merged:
  - Add use case for safely transitioning websites to not use any DOM XSS injection sinks
    https://github.com/w3c/trusted-types/pull/408 
  - Changed incorrect error mention in Create a Trusted Type algorithm.
    https://github.com/w3c/trusted-types/pull/410 
  - Added a comment about fromLiteral.
    https://github.com/w3c/trusted-types/pull/409 
  - Add integration with setHTMLUnsafe and parseHTMLUnsafe
    https://github.com/w3c/trusted-types/pull/406 
  - Merged HTML parsing sinks with DOM XSS sinks.
    https://github.com/w3c/trusted-types/pull/407 
  - docs: Include repository field in package.json
    https://github.com/w3c/trusted-types/pull/371 


Repositories tracked by this digest:
-----------------------------------
* https://github.com/w3c/webappsec
* https://github.com/w3c/webappsec-subresource-integrity
* https://github.com/w3c/webappsec-csp
* https://github.com/w3c/webappsec-mixed-content
* https://github.com/w3c/webappsec-upgrade-insecure-requests
* https://github.com/w3c/webappsec-credential-management
* https://github.com/w3c/permissions
* https://github.com/w3c/permissions-registry
* https://github.com/w3c/webappsec-referrer-policy
* https://github.com/w3c/webappsec-secure-contexts
* https://github.com/w3c/webappsec-clear-site-data
* https://github.com/w3c/webappsec-cowl
* https://github.com/w3c/webappsec-epr
* https://github.com/w3c/webappsec-suborigins
* https://github.com/w3c/webappsec-cspee
* https://github.com/w3c/webappsec-permissions-policy
* https://github.com/w3c/webappsec-fetch-metadata
* https://github.com/w3c/webappsec-trusted-types
* https://github.com/w3c/webappsec-change-password-url
* https://github.com/w3c/webappsec-post-spectre-webdev


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 22 January 2024 17:00:36 UTC