w3c/webappsec-csp Issues

Last updated May 18, 2024, 5:57:08 AM UTC.

This repository doesn't have the Priority: Eventually label that's used to mark an issue as triaged without giving it an SLO. Until that's added, this summary uses heuristics to guess if each issue has been triaged.

34 out-of-SLO untriaged issues

Untriaged

Try to triage issues within 7 days. [ More Info ]

Issue	Title	Within SLO	On maintainers' plates for	Time left	Time past SLO
#129	Multiple headers of Allow-CSP-From	❌	7.6 years		7.6 years
#226	Prefer blocking fall-through conditions	❌	6.8 years		6.8 years
#235	Should frame-src control frames with "local scheme"?	❌	6.7 years		6.7 years
#252	What I am doing wrong on this script-src	❌	6.6 years		6.6 years
#292	Potential wrong sha256 example in 'Hash usage for script elements'	❌	6.3 years		6.2 years
#297	Expose host in a 'host' source reference	❌	6.2 years		6.2 years
#314	Clarification of term "parser-inserted"	❌	5.9 years		5.9 years
#384	policy's self-origin for CSP policies inserted by <meta>	❌	5.3 years		5.2 years
#387	http-equiv delivery method: recommend to set after <meta charset="utf-8">?	❌	5.2 years		5.2 years
#388	Is CSPViolationReportBody a funny name?	❌	5.2 years		5.2 years
#396	Use of "Get the effective directive for inline checks" in "Should navigation request of type from source in target be blocked by Content Security Policy?" doesn't seem to make sense	❌	5 years		5 years
#397	Header parsing and integration with Fetch	❌	5 years		5 years
#401	Define interaction between script-src / trusted-types	❌	4.9 years		4.9 years
#406	Conflict in CSP reporting specs on nullable fields	❌	4.8 years		4.7 years
#408	Update spec to new IDL syntax for optional dictionaries	❌	4.7 years		4.7 years
#409	Update to constructor operations	❌	4.7 years		4.7 years
#416	Add version number to allow 'non-backwards compatible' CSP[version]-mode	❌	4.4 years		4.4 years
#421	Inconsistent behavior of frame-ancestors versus implementations	❌	4.2 years		4.2 years
#427	`javascript:` navigation directive-name is always null	❌	4.2 years		4.1 years
#428	`unsafe-allow-redirects` and `form-action` interact weirdly	❌	4.2 years		4.1 years
#432	Clarify that report-uri cannot violate mixed-content	❌	4.1 years		4 years
#440	host-part matching should allow IPv6 "[::1]" as it does for "127.0.0.1"	❌	3.8 years		3.8 years
#442	Document that line-number and column-number are 1-based in CSP reporting spec	❌	3.7 years		3.6 years
#514	Content-Security-Policy header isn't registered	❌	2.6 years		2.6 years
#521	Editorial: header names and values are byte sequences	❌	2.6 years		2.5 years
#524	should-block-response doesn't forward arguments	❌	2.5 years		2.5 years
#556	Correct the link for CSP3 in the CSP2 Page	❌	1.9 years		1.8 years
#581	Remove initialization hook	❌	1.5 years		1.4 years
#610	CSP: Embedded Enforcement Links for issue 16 and 17 are dead	❌	10.4 months		10.2 months
#624	frame-src using the fetch instead of the navigational check - can end up checking the wrong policies	❌	6.3 months		6.1 months
#632	Some way to allow workers other than URL and strict-dynamic	❌	5 months		4.7 months
#635	Does "Is Element Nonceable" apply to non-inline scripts?	❌	4.2 months		3.9 months
#638	`service-worker-src` directive	❌	4 months		3.8 months
#643	"Is element nonceable" not applied to non-<script> elements in Chrome?	❌	3.2 months		2.9 months
#660	Request's initiator can't be "fetch"	✔	2 days	5 days