w3c/webappsec-csp Issues

Last updated Dec 22, 2024, 5:57:07 AM UTC.

This repository doesn't have the Priority: Eventually label that's used to mark an issue as triaged without giving it an SLO. Until that's added, this summary uses heuristics to guess if each issue has been triaged.

Untriaged

Try to triage issues within . [ More Info ]

Issue Title Within SLO On maintainers' plates for Time left Time past SLO
#226 Prefer blocking fall-through conditions
#235 Should frame-src control frames with "local scheme"?
#252 What I am doing wrong on this script-src
#292 Potential wrong sha256 example in 'Hash usage for script elements'
#297 Expose host in a 'host' source reference
#314 Clarification of term "parser-inserted"
#384 policy's self-origin for CSP policies inserted by <meta>
#387 http-equiv delivery method: recommend to set after <meta charset="utf-8">?
#388 Is CSPViolationReportBody a funny name?
#396 Use of "Get the effective directive for inline checks" in "Should navigation request of type from source in target be blocked by Content Security Policy?" doesn't seem to make sense
#397 Header parsing and integration with Fetch
#401 Define interaction between script-src / trusted-types
#406 Conflict in CSP reporting specs on nullable fields
#408 Update spec to new IDL syntax for optional dictionaries
#409 Update to constructor operations
#416 Add version number to allow 'non-backwards compatible' CSP[version]-mode
#421 Inconsistent behavior of frame-ancestors versus implementations
#428 `unsafe-allow-redirects` and `form-action` interact weirdly
#432 Clarify that report-uri cannot violate mixed-content
#440 host-part matching should allow IPv6 "[::1]" as it does for "127.0.0.1"
#442 Document that line-number and column-number are 1-based in CSP reporting spec
#514 Content-Security-Policy header isn't registered
#521 Editorial: header names and values are byte sequences
#524 should-block-response doesn't forward arguments
#556 Correct the link for CSP3 in the CSP2 Page
#581 Remove initialization hook
#610 CSP: Embedded Enforcement Links for issue 16 and 17 are dead
#624 frame-src using the fetch instead of the navigational check - can end up checking the wrong policies
#632 Some way to allow workers other than URL and strict-dynamic
#635 Does "Is Element Nonceable" apply to non-inline scripts?
#638 `service-worker-src` directive
#643 "Is element nonceable" not applied to non-<script> elements in Chrome?
#673 CSP spec not user-friendly
#674 Consider using SecurityPolicyViolationEvent.sourceFile a USVString
#679 Feedback request on not capturing the caller in `new Function` and indirect `eval`
#680 port-part being null is not handled
#687 Should "Should navigation request of type be blocked by Content Security Policy?" set the violation object's element?
#690 Consider recommending the usage of events instead of CSP reports for CSP WPTs
#694 Allow RFC3986 scheme relative URIs in host-source
#696 https://w3c.github.io/webappsec-csp/#report-violation invokes "Queue a task" without passing a task source
#697 EnsureCSPDoesNotBlockStringCompilation: Explain why we need to check TrustedScript's data (and add tests)
#698 EnsureCSPDoesNotBlockStringCompilation: calling "Get Trusted Type compliant string"

Agenda

Try to maintain fewer than 25 agenda items and discuss issues on the agenda within . [ More Info ] [ See these issues on Github ]

Issue Title Within SLO On the agenda for Time left Time past SLO
#425 Clarify that integrity metadata must be non-empty
#424 Use correct set of source expressions in script directives pre-request check
#523 Hashes bypass source-based allowlisting only on pre-request, not on post-request