Weekly github digest (WebAppSec specs)

Issues
------
* w3c/webappsec (+0/-0/💬6)
  2 issues received 6 new comments:
  - #645 Move OTR to Privacy Working Group (2 by mikewest, plehegar)
    https://github.com/w3c/webappsec/issues/645 [charter] 
  - #643 Planning the 2024-03-20 meeting (4 by aaronshim, plehegar)
    https://github.com/w3c/webappsec/issues/643 

* w3c/webappsec-credential-management (+2/-0/💬2)
  2 issues created:
  - Common checks (by marcoscaceres)
    https://github.com/w3c/webappsec-credential-management/issues/228 
  - Fully active checks? (by marcoscaceres)
    https://github.com/w3c/webappsec-credential-management/issues/227 

  1 issues received 2 new comments:
  - #227 Fully active checks? (2 by marcoscaceres)
    https://github.com/w3c/webappsec-credential-management/issues/227 

* w3c/permissions (+0/-3/💬0)
  3 issues closed:
  - WebDriver BiDi: support user contexts in setPermission https://github.com/w3c/permissions/issues/439 
  - Align internal states with enums https://github.com/w3c/permissions/issues/392 
  - Turn PermissionSetParameters.descriptor into an object https://github.com/w3c/permissions/issues/443 

* w3c/webappsec-permissions-policy (+0/-0/💬7)
  2 issues received 7 new comments:
  - #537 Send reports for Permissions Policy violations in iframe to parent frame's endpoint (2 by annevk, arturjanc)
    https://github.com/w3c/webappsec-permissions-policy/issues/537 
  - #208 How do I disable everything? (5 by Dreamsorcerer, anarcat, nextgenthemes)
    https://github.com/w3c/webappsec-permissions-policy/issues/208 [feature question] 

* w3c/webappsec-trusted-types (+7/-3/💬31)
  7 issues created:
  - Adopt Infra syntax throughout (by annevk)
    https://github.com/w3c/trusted-types/issues/472 
  - Developer-centric research results about Trusted Types (by rothsn)
    https://github.com/w3c/trusted-types/issues/471 
  - Create a Trusted Type Policy seems to directly set properties to callbacks (by annevk)
    https://github.com/w3c/trusted-types/issues/470 
  - Section 3.2. "Create a Trusted Type" doesn't need to stringify because `policyValue` already is a string (by mbrodesser-Igalia)
    https://github.com/w3c/trusted-types/issues/469 
  - Why is "callback **this** value set to null" required in step 5 of "Get Trusted Type policy value"? (by mbrodesser-Igalia)
    https://github.com/w3c/trusted-types/issues/468 
  - Is parseFromString where the type is "application/xml" an actual risk? (by technion)
    https://github.com/w3c/trusted-types/issues/467 
  - Creating a policy with policyName="" is possible, but can't be referred to by the "trusted-types" CSP directive (by mbrodesser-Igalia)
    https://github.com/w3c/trusted-types/issues/466 

  10 issues received 31 new comments:
  - #471 Developer-centric research results about Trusted Types (1 by annevk)
    https://github.com/w3c/trusted-types/issues/471 
  - #470 Create a Trusted Type Policy seems to directly set properties to callbacks (2 by annevk, lukewarlow)
    https://github.com/w3c/trusted-types/issues/470 
  - #469 Section 3.2. "Create a Trusted Type" should specify how a `policyValue=null/undefined` is stringified (9 by annevk, mbrodesser-Igalia)
    https://github.com/w3c/trusted-types/issues/469 
  - #468 Why is "callback **this** value set to null" required in step 5 of "Get Trusted Type policy value"? (1 by petervanderbeken)
    https://github.com/w3c/trusted-types/issues/468 
  - #467 Is parseFromString where the type is "application/xml" an actual risk? (3 by Sora2455, annevk, technion)
    https://github.com/w3c/trusted-types/issues/467 
  - #466 Creating a policy with policyName="" is possible, but can't be referred to by the "trusted-types" CSP directive (3 by lukewarlow, mbrodesser-Igalia)
    https://github.com/w3c/trusted-types/issues/466 
  - #461 Can we drop the default policy value changing from Eval, new Function() (and other usages of the dynamic code brand checks proposal)? (7 by caridy, koto, lukewarlow, otherdaniel)
    https://github.com/w3c/trusted-types/issues/461 
  - #425 Improve test coverage for DOM integration in WPT (1 by mbrodesser-Igalia)
    https://github.com/w3c/trusted-types/issues/425 
  - #398 Defer `fromLiteral`? (3 by erights, littledan, lukewarlow)
    https://github.com/w3c/trusted-types/issues/398 [proposed-removal] 
  - #207 Finalize the integrations that guard eval & Function.constructor (1 by lukewarlow)
    https://github.com/w3c/trusted-types/issues/207 [tc39] 

  3 issues closed:
  - Is parseFromString where the type is "application/xml" an actual risk? https://github.com/w3c/trusted-types/issues/467 
  - Improve test coverage for DOM integration in WPT https://github.com/w3c/trusted-types/issues/425 
  - Create a Trusted Type Policy seems to directly set properties to callbacks https://github.com/w3c/trusted-types/issues/470 



Pull requests
-------------
* w3c/permissions (+2/-6/💬9)
  2 pull requests submitted:
  - Tidied up document using tidy-html5 (by github-actions)
    https://github.com/w3c/permissions/pull/446 
  - Tidied up document using tidy-html5 (by github-actions)
    https://github.com/w3c/permissions/pull/445 

  5 pull requests received 9 new comments:
  - #446 Tidied up document using tidy-html5 (1 by w3cbot)
    https://github.com/w3c/permissions/pull/446 
  - #445 Tidied up document using tidy-html5 (1 by w3cbot)
    https://github.com/w3c/permissions/pull/445 
  - #444 Use `object` for PermissionSetParameters.descriptor (3 by marcoscaceres, miketaylr)
    https://github.com/w3c/permissions/pull/444 
  - #438 Add userContext field to WebDriver BiDi's setPermission (3 by OrKoN, miketaylr)
    https://github.com/w3c/permissions/pull/438 
  - #402 Add additional automation error checks (1 by marcoscaceres)
    https://github.com/w3c/permissions/pull/402 

  6 pull requests merged:
  - Add userContext field to WebDriver BiDi's setPermission
    https://github.com/w3c/permissions/pull/438 
  - Editorial: define permission states consistently
    https://github.com/w3c/permissions/pull/400 
  - Tidied up document using tidy-html5
    https://github.com/w3c/permissions/pull/446 
  - Tidied up document using tidy-html5
    https://github.com/w3c/permissions/pull/445 
  - Use `object` for PermissionSetParameters.descriptor
    https://github.com/w3c/permissions/pull/444 
  - Tidied up document using tidy-html5
    https://github.com/w3c/permissions/pull/442 

* w3c/webappsec-trusted-types (+0/-2/💬0)
  2 pull requests merged:
  - Update support for dynamic code compilation
    https://github.com/w3c/trusted-types/pull/464 
  - Remove default policy manipulating eval
    https://github.com/w3c/trusted-types/pull/465 


Repositories tracked by this digest:
-----------------------------------
* https://github.com/w3c/webappsec
* https://github.com/w3c/webappsec-subresource-integrity
* https://github.com/w3c/webappsec-csp
* https://github.com/w3c/webappsec-mixed-content
* https://github.com/w3c/webappsec-upgrade-insecure-requests
* https://github.com/w3c/webappsec-credential-management
* https://github.com/w3c/permissions
* https://github.com/w3c/permissions-registry
* https://github.com/w3c/webappsec-referrer-policy
* https://github.com/w3c/webappsec-secure-contexts
* https://github.com/w3c/webappsec-clear-site-data
* https://github.com/w3c/webappsec-cowl
* https://github.com/w3c/webappsec-epr
* https://github.com/w3c/webappsec-suborigins
* https://github.com/w3c/webappsec-cspee
* https://github.com/w3c/webappsec-permissions-policy
* https://github.com/w3c/webappsec-fetch-metadata
* https://github.com/w3c/webappsec-trusted-types
* https://github.com/w3c/webappsec-change-password-url
* https://github.com/w3c/webappsec-post-spectre-webdev


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 11 March 2024 17:00:28 UTC