Issues · w3c/webappsec-csp · GitHub

Stricter attribute parsing
#175 opened Jan 17, 2017 by craigfrancis
Policy to allow only custom properties in inline CSS
#174 opened Jan 14, 2017 by J0WI

5
Spec refers to "subresource" Fetch destination
#172 opened Jan 2, 2017 by yoavweiss
"Does path A match path B?" is incorrect
#171 opened Jan 1, 2017 by shekyan

1
Clarify matching expressions with `host-source` but without `scheme-source`
#166 opened Dec 8, 2016 by shekyan

4
`scheme-source` matching algorithm skips port matching
#162 opened Dec 7, 2016 by shekyan

2
Specify browser behavior for CSP headers on 304 (not modified) responses
#161 opened Dec 7, 2016 by lweichselbaum

3
Thoughts on letting CSP govern attributes that must appear in Set-Cookie
#152 opened Nov 17, 2016 by aidantwoods

1
Make `unsafe-hashed-attributes' less unsafe
#147 opened Nov 12, 2016 by briansmith

3
Clarify worker-src goals
#146 opened Nov 12, 2016 by briansmith

21
Does CSP3+Fetch apply to redirects correctly?
#134 opened Nov 3, 2016 by estark37

5
Embedded Enforcement: Invalid required csp attribute on iframe EMBEDDED
#131 opened Oct 18, 2016 by aubakirova
Multiple headers of Allow-CSP-From
#129 opened Oct 14, 2016 by aubakirova
Interaction of CSP and javascript: URLs in iframe src is not defined anywhere
#127 opened Oct 13, 2016 by bzbarsky

8
Embedded: Think about the implications of allowing injected `csp` with reporting. EMBEDDED
#126 opened Oct 12, 2016 by mikewest
Allow navigation to only whitelisted URLs via navigate-to
#125 opened Oct 6, 2016 by marumari CSP3 CR

8
Nonces for Embedding-CSP
#121 opened Sep 30, 2016 by dhausknecht

2
Chrome throws a SecurityError while Firefox does not
#120 opened Sep 28, 2016 by teddink

4
Allow "inline" violation reports to contain the text of offending scripts
#119 opened Sep 25, 2016 by arturjanc

4
do we want a directive to control postMessage explicit channels outbound?
#117 opened Sep 22, 2016 by hillbrad
Allow nonce-source to be used in more directives.
#116 opened Sep 11, 2016 by ScottHelme CSP3 CR

12
Embedding-CSP header CSP EMBEDDED
#115 opened Sep 9, 2016 by annevk

11
Add a new directive governing the use of http-equiv in <meta> tags
#112 opened Aug 29, 2016 by aidantwoods CSP3 CR

3
Add a flag to strip potentially sensitive data from reports
#111 opened Aug 26, 2016 by ScottHelme CSP3 CR

28
"Whitelisting external JavaScript with hashes" incorrectly assumes encoding of sources bug
#110 opened Aug 24, 2016 by metromoxie CSP3 CR

1

Previous 1 2 3 Next

ProTip! Updated in the last three days: updated:>2017-01-22.

You can't perform that action at this time.