w3c/webappsec-cspee Issues

Last updated Nov 21, 2024, 5:57:26 AM UTC.

This repository doesn't have the Priority: Eventually label that's used to mark an issue as triaged without giving it an SLO. Until that's added, this summary uses heuristics to guess if each issue has been triaged.

Untriaged

Try to triage issues within . [ More Info ]

Issue Title Within SLO On maintainers' plates for Time left Time past SLO
#1 How is CSPEE recursive?
#2 Embedded: make clear that servers MUST respond with a CSP or Allow-CSP-From header, <meta> CSP's are not allowed.
#3 Embedding-CSP header
#4 Embedded: consider other contexts other than iframe
#5 Clarify what is the threat model for embedded enforcement
#6 Embedded Enforcement: Invalid required csp attribute on iframe
#7 Embedded: Think about the implications of allowing injected `csp` with reporting.
#9 Fix subsume-source-expressions algorithm
#10 Should file and filesystem schemes allow blanket enforcement?
#11 Cancel navigation on invalid required CSP attribute
#12 Should we restrict CSPEE to secure schemes?
#13 Fix examples involving wildcard host matching.
#14 Wildcard hosts and CSP source intersection
#15 Fix example of non-similar CSP sources with different ports
#16 Meaning of 'self' in csp attribute
#17 Rewrite source expression intersection without using similarity
#21 Limit length of CSP attribute
#24 Editor's draft not getting autoupdated
#27 Broken references in Content Security Policy: Embedded Enforcement