ISSUE-1![(edit)](/2002/09/wbs/icons/stock_edit2) |
CLOSED |
Harmonize header spec with OWS / new definitions in HTTP work @ IETF |
2011-10-31 |
CORS |
0 |
ISSUE-2![(edit)](/2002/09/wbs/icons/stock_edit2) |
CLOSED |
Check for simple/standard request needs to check what the value of content-type header is to determine CORS request type |
2011-10-31 |
CORS |
0 |
ISSUE-3![(edit)](/2002/09/wbs/icons/stock_edit2) |
CLOSED |
How to handle directives that are not understood in v 1.0 |
2011-10-31 |
CSP Level 1 |
0 |
ISSUE-4![(edit)](/2002/09/wbs/icons/stock_edit2) |
CLOSED |
Solicit for input on policy intersection / conflict resolution |
2011-10-31 |
CSP Level 1 |
0 |
ISSUE-5![(edit)](/2002/09/wbs/icons/stock_edit2) |
PENDING REVIEW |
Is covering identical UI with different effects in-scope? e.g. "like" button that doesn't indicate what you're liking |
2011-11-01 |
UI Security |
0 |
ISSUE-6![(edit)](/2002/09/wbs/icons/stock_edit2) sandbox |
CLOSED |
Should the sandbox directive be part of CSP 1.0? |
2011-11-03 |
CSP Level 1 |
0 |
ISSUE-7![(edit)](/2002/09/wbs/icons/stock_edit2) policy-uri |
CLOSED |
Should the policy-uri directive be in CSP 1.0? |
2011-11-03 |
CSP Level 1 |
0 |
ISSUE-8![(edit)](/2002/09/wbs/icons/stock_edit2) |
CLOSED |
Identify proper behavior for html added via plugins / object tag |
2011-11-22 |
CSP Level 1 |
0 |
ISSUE-9![(edit)](/2002/09/wbs/icons/stock_edit2) |
CLOSED |
Should the user agent fire the error event when an img-src load fails? |
2012-01-17 |
CSP Level 1 |
0 |
ISSUE-10![(edit)](/2002/09/wbs/icons/stock_edit2) |
CLOSED |
Processing model for object element and frame-src directive |
2012-01-17 |
CSP Level 1 |
0 |
ISSUE-11![(edit)](/2002/09/wbs/icons/stock_edit2) Violation report privacy |
CLOSED |
Violation report privacy issues |
2012-01-17 |
CSP Level 1 |
0 |
ISSUE-12![(edit)](/2002/09/wbs/icons/stock_edit2) |
CLOSED |
Should 'self' be required to be replaced by explict host in reports? |
2012-01-17 |
CSP Level 1 |
0 |
ISSUE-13![(edit)](/2002/09/wbs/icons/stock_edit2) URI Fragments in 1.1 |
CLOSED |
Optionally include URI fragments in violation reports for v1.1 |
2012-02-14 |
CSP Level 1 |
0 |
ISSUE-14![(edit)](/2002/09/wbs/icons/stock_edit2) META tag for CSP |
CLOSED |
Investigate whether to keep the META tag for CSP |
2012-03-13 |
CSP Level 1 |
0 |
ISSUE-15![(edit)](/2002/09/wbs/icons/stock_edit2) SRCDOC, BLOB, ETC |
CLOSED |
How to handle srcdoc, blob:, di: and ways of directly creating content |
2012-07-03 |
CSP Level 2 |
0 |
ISSUE-16![(edit)](/2002/09/wbs/icons/stock_edit2) CSP informs client, cannot restrict it |
CLOSED |
Editorial: CSP cannot dictate client behavior, only inform it |
2012-09-11 |
CSP Level 1 |
0 |
ISSUE-17![(edit)](/2002/09/wbs/icons/stock_edit2) Extension compat |
CLOSED |
CSP should take into account extensions which modify content |
2012-09-11 |
CSP Level 1 |
0 |
ISSUE-18![(edit)](/2002/09/wbs/icons/stock_edit2) CSP as risk assessment score |
CLOSED |
Use CSP to report app risk and compatibility with user specified restrictions |
2012-09-11 |
CSP Level 1 |
0 |
ISSUE-19![(edit)](/2002/09/wbs/icons/stock_edit2) Interaction of CSP and IRIs |
CLOSED |
How are non-ASCII characters handled in CSP |
2012-09-11 |
CSP Level 1 |
0 |
ISSUE-20![(edit)](/2002/09/wbs/icons/stock_edit2) |
CLOSED |
If browsers apply UI Security heuristic without an explicit opt-in policy, should we always block and not have the unsafe UIEvent property |
2012-11-01 |
UI Security |
0 |
ISSUE-21![(edit)](/2002/09/wbs/icons/stock_edit2) |
POSTPONED |
Do assistive technologies send real events or synthetic events? |
2012-11-01 |
UI Security |
0 |
ISSUE-22![(edit)](/2002/09/wbs/icons/stock_edit2) |
PENDING REVIEW |
Are there cases of synthetic UIEvents where it would be useful to set the unsafe attribute even if the policy is block (so event is not delivered) |
2012-11-01 |
UI Security |
0 |
ISSUE-23![(edit)](/2002/09/wbs/icons/stock_edit2) |
CLOSED |
Are there cases of synthetic UIEvents where it would be useful to set the unsafe attribute even if the policy is block so event is not delivered |
2012-11-01 |
|
0 |
ISSUE-24![(edit)](/2002/09/wbs/icons/stock_edit2) |
CLOSED |
(); |
2012-11-01 |
|
0 |
ISSUE-25![(edit)](/2002/09/wbs/icons/stock_edit2) |
CLOSED |
Do frame-options directives (or other UISafety directives) make sense in a meta tag context? |
2012-11-01 |
UI Security |
0 |
ISSUE-26![(edit)](/2002/09/wbs/icons/stock_edit2) |
CLOSED |
Does the sandbox directive make sense in a meta tag context? |
2012-11-01 |
CSP Level 2 |
0 |
ISSUE-27![(edit)](/2002/09/wbs/icons/stock_edit2) |
CLOSED |
Implementation concern on how to enforce display-time : should we provide more advice on how to do this efficiently? |
2012-11-01 |
UI Security |
0 |
ISSUE-28![(edit)](/2002/09/wbs/icons/stock_edit2) |
PENDING REVIEW |
What specific attacks are prevented by OS screenshots, should this be recommended against generally? |
2012-11-01 |
UI Security |
0 |
ISSUE-29![(edit)](/2002/09/wbs/icons/stock_edit2) |
PENDING REVIEW |
What are sane defaults for clipping with clipping or selectors? |
2012-11-01 |
UI Security |
0 |
ISSUE-30![(edit)](/2002/09/wbs/icons/stock_edit2) |
CLOSED |
How to address dynamic application of CSP post page load / partial page load via META or script interface |
2012-11-02 |
CSP Level 2 |
0 |
ISSUE-31![(edit)](/2002/09/wbs/icons/stock_edit2) |
CLOSED |
What specification's definition of URL/URI are we using for path parsing in CSP 1.1? |
2012-11-02 |
CSP Level 2 |
0 |
ISSUE-32![(edit)](/2002/09/wbs/icons/stock_edit2) |
CLOSED |
Do we specify that path-specificity applies only to hierarchical URI schemes? |
2012-11-02 |
CSP Level 2 |
0 |
ISSUE-33![(edit)](/2002/09/wbs/icons/stock_edit2) |
CLOSED |
Need to address blob, data, filesystem URL types with greater specificity in CSP 1.1 spec |
2012-11-02 |
CSP Level 2 |
0 |
ISSUE-34![(edit)](/2002/09/wbs/icons/stock_edit2) |
OPEN |
Discuss use cases / risks of script access to CSP information, solicit specific public comment on this feature with FPWD |
2012-11-02 |
CSP Level 3 |
0 |
ISSUE-35![(edit)](/2002/09/wbs/icons/stock_edit2) |
CLOSED |
Should we add an "httpOnly" like directive to CSP to indicate that the state of this policy is not available to the script APIs? |
2012-11-02 |
CSP Level 2 |
0 |
ISSUE-36![(edit)](/2002/09/wbs/icons/stock_edit2) |
CLOSED |
hash as a source expression for csp 1.1 |
2012-11-02 |
CSP Level 2 |
0 |
ISSUE-37![(edit)](/2002/09/wbs/icons/stock_edit2) |
CLOSED |
How to apply plugin-types in CSP 1.1 to iframes |
2012-11-02 |
CSP Level 2 |
0 |
ISSUE-38![(edit)](/2002/09/wbs/icons/stock_edit2) |
CLOSED |
Discuss no-mixed-content further as a 1.1 experimental directive |
2012-11-02 |
CSP Level 2 |
0 |
ISSUE-39![(edit)](/2002/09/wbs/icons/stock_edit2) |
CLOSED |
Discuss CSP relevant use cases for possibly including Meta Referrer as a CSP directive |
2012-11-02 |
CSP Level 2 |
0 |
ISSUE-40![(edit)](/2002/09/wbs/icons/stock_edit2) X-XSS-Protection |
CLOSED |
Look at incorporating X-XSS-Protection functionality into CSP 1.1 |
2012-11-08 |
CSP Level 2 |
0 |
ISSUE-41![(edit)](/2002/09/wbs/icons/stock_edit2) CSP and malicious extensions |
CLOSED |
CSP does not protect against malicious extensions |
2012-12-19 |
CSP Level 1 |
0 |
ISSUE-42![(edit)](/2002/09/wbs/icons/stock_edit2) CSS Nonce |
CLOSED |
Script-nonce allows inline script, similar treatment for inline css? |
2013-02-01 |
CSP Level 2 |
0 |
ISSUE-43![(edit)](/2002/09/wbs/icons/stock_edit2) Custom Elements in CSP 1.1 |
CLOSED |
How are custom elements handled in CSP 1.1? |
2013-02-01 |
CSP Level 2 |
0 |
ISSUE-44![(edit)](/2002/09/wbs/icons/stock_edit2) |
OPEN |
Same-origin policy identity query via script-hash. issue is you do a third party inline script with a known script-hash. if it succeeds, you know that the target was as expected, even though you can't read it |
2013-02-26 |
Subresource Integrity Level 1 |
0 |
ISSUE-45![(edit)](/2002/09/wbs/icons/stock_edit2) 'top-only' |
CLOSED |
Is 'top-only' worth preserving? |
2013-03-05 |
UI Security |
0 |
ISSUE-46![(edit)](/2002/09/wbs/icons/stock_edit2) Does nonce make CSP header security-sensitive |
CLOSED |
Does inclusion of things like nonce make CSP a sensitive header? |
2013-04-25 |
CSP Level 2 |
0 |
ISSUE-47![(edit)](/2002/09/wbs/icons/stock_edit2) |
CLOSED |
Revisit combinations of header and meta tags |
2013-04-25 |
CSP Level 2 |
0 |
ISSUE-48![(edit)](/2002/09/wbs/icons/stock_edit2) base uri |
CLOSED |
injection of a <base> tag to change effective location of relative resources |
2013-04-25 |
CSP Level 2 |
0 |
ISSUE-49![(edit)](/2002/09/wbs/icons/stock_edit2) |
CLOSED |
add http response code to report? |
2013-04-25 |
CSP Level 2 |
0 |
ISSUE-50![(edit)](/2002/09/wbs/icons/stock_edit2) |
CLOSED |
plugin-type directive and media source list for IE CLSID guids |
2013-04-25 |
CSP Level 2 |
0 |
ISSUE-51![(edit)](/2002/09/wbs/icons/stock_edit2) |
CLOSED |
How to handle externally defined <element> with <link rel=import> |
2013-04-25 |
|
0 |
ISSUE-52![(edit)](/2002/09/wbs/icons/stock_edit2) unsafe DOM API |
CLOSED |
unsafe attribute requires every handler to check |
2013-04-25 |
UI Security |
0 |
ISSUE-53![(edit)](/2002/09/wbs/icons/stock_edit2) UI Security model for composited drawing models |
CLOSED |
UI Security model for composited drawing models |
2013-04-26 |
UI Security |
0 |
ISSUE-54![(edit)](/2002/09/wbs/icons/stock_edit2) uri vs url |
CLOSED |
policy-uri vs. policy-url, (also report, etc.) |
2013-07-02 |
CSP Level 2 |
0 |
ISSUE-55![(edit)](/2002/09/wbs/icons/stock_edit2) input-protection and seamless iframes |
CLOSED |
How to handle seamless flag for input-protection policies? |
2013-10-31 |
UI Security |
0 |
ISSUE-56![(edit)](/2002/09/wbs/icons/stock_edit2) child src navigation |
CLOSED |
Should we restrict subsequent navigation within child-src? |
2014-01-14 |
CSP Level 2 |
0 |
ISSUE-57![(edit)](/2002/09/wbs/icons/stock_edit2) |
OPEN |
Do we want to control popups, if so, how? |
2014-02-10 |
CSP Level 3 |
0 |
ISSUE-58![(edit)](/2002/09/wbs/icons/stock_edit2) Late binding of CSP |
CLOSED |
Late binding of CSP policies |
2014-04-08 |
CSP Level 2 |
0 |
ISSUE-59![(edit)](/2002/09/wbs/icons/stock_edit2) SVG rules for CSP |
CLOSED |
Figure out how to use CSP appropriately with SVG modes |
2014-04-23 |
CSP Level 2 |
0 |
ISSUE-60![(edit)](/2002/09/wbs/icons/stock_edit2) CSP and META |
CLOSED |
Injecting META tags can be an interesting bypass technique, possibly |
2014-04-23 |
CSP Level 3 |
0 |
ISSUE-61![(edit)](/2002/09/wbs/icons/stock_edit2) |
CLOSED |
Should we mark referrer and reflected-xss as at risk in csp 1.1 lcwd? |
2014-06-18 |
|
0 |
ISSUE-62![(edit)](/2002/09/wbs/icons/stock_edit2) |
CLOSED |
is reflected-xss at risk? |
2014-06-18 |
|
1 |
ISSUE-63![(edit)](/2002/09/wbs/icons/stock_edit2) |
CLOSED |
Disposition of ch-csp client hint |
2014-08-27 |
|
0 |
ISSUE-64![(edit)](/2002/09/wbs/icons/stock_edit2) |
OPEN |
Csp3 how to deal with large policies needed by single-page webapps (http://lists.w3.org/archives/public/public-webappsec/2014aug/0021.html) |
2014-08-27 |
CSP Level 3 |
0 |
ISSUE-65![(edit)](/2002/09/wbs/icons/stock_edit2) |
RAISED |
Does "no referrer" specify a state or is it a token? is a token with a space problematic? |
2014-08-27 |
Referrer Policy |
0 |
ISSUE-66![(edit)](/2002/09/wbs/icons/stock_edit2) |
RAISED |
No-external-navigation as potential csp3 feature http://lists.w3.org/archives/public/public-webappsec/2014aug/0053.html |
2014-08-27 |
CSP Level 3 |
0 |
ISSUE-67![(edit)](/2002/09/wbs/icons/stock_edit2) |
OPEN |
WebRTC via 'connect-src'? |
2014-09-03 |
CSP Level 3 |
0 |
ISSUE-68![(edit)](/2002/09/wbs/icons/stock_edit2) 401 prompting by subresources |
OPEN |
How to manage 401 phishing prompts by subresources |
2014-10-27 |
CSP Level 3 |
0 |
ISSUE-69![(edit)](/2002/09/wbs/icons/stock_edit2) Overt channel control in CSP |
RAISED |
Consider directives to manage postMessage and external navigation of iframes |
2014-10-28 |
CSP Level 3 |
0 |
ISSUE-70![(edit)](/2002/09/wbs/icons/stock_edit2) Using ni:/// as CSP source |
RAISED |
Investigate using ni:/// as a CSP source expression |
2014-11-04 |
CSP Level 3 |
0 |
ISSUE-71![(edit)](/2002/09/wbs/icons/stock_edit2) JSONP directives |
RAISED |
Consider directives in CSP Level 3 to reduce attack surface of legacy JSONP interaces |
2014-11-04 |
CSP Level 3 |
0 |
ISSUE-72![(edit)](/2002/09/wbs/icons/stock_edit2) Streaming Integrity |
RAISED |
How to apply integrity verification to large / streaming downloads |
2014-11-17 |
Subresource Integrity Level 2 |
0 |
ISSUE-73![(edit)](/2002/09/wbs/icons/stock_edit2) CSP path matching |
RAISED |
Consider allowing relative paths (to 'self') in source productions |
2014-12-30 |
CSP Level 3 |
0 |
ISSUE-74![(edit)](/2002/09/wbs/icons/stock_edit2) plugin-types 'none' |
RAISED |
allow explicitly setting the 'none' keyword source for plugin-type directive |
2014-12-30 |
CSP Level 3 |
0 |