w3c/webappsec-cspee Issues

Last updated Apr 27, 2026, 8:11:53 AM UTC.

This repository doesn't have the Priority: Eventually label that's used to mark an issue as triaged without giving it an SLO. Until that's added, this summary uses heuristics to guess if each issue has been triaged.

12 out-of-SLO untriaged issues

Untriaged

Try to triage issues within 7 days. [ More Info ]

Issue	Title	Within SLO	On maintainers' plates for	Time left	Time past SLO
#1	How is CSPEE recursive?	❌	7.5 years		7.5 years
#2	Embedded: make clear that servers MUST respond with a CSP or Allow-CSP-From header, <meta> CSP's are not allowed.	❌	7.5 years		7.5 years
#3	Embedding-CSP header	❌	7.5 years		7.5 years
#4	Embedded: consider other contexts other than iframe	❌	7.5 years		7.5 years
#5	Clarify what is the threat model for embedded enforcement	❌	7.5 years		7.5 years
#6	Embedded Enforcement: Invalid required csp attribute on iframe	❌	7.5 years		7.5 years
#7	Embedded: Think about the implications of allowing injected `csp` with reporting.	❌	7.5 years		7.5 years
#11	Cancel navigation on invalid required CSP attribute	❌	5.9 years		5.8 years
#12	Should we restrict CSPEE to secure schemes?	❌	5.8 years		5.8 years
#14	Wildcard hosts and CSP source intersection	❌	5.7 years		5.7 years
#16	Meaning of 'self' in csp attribute	❌	5.7 years		5.7 years
#17	Rewrite source expression intersection without using similarity	❌	5.7 years		5.7 years
#31	Broken links in Content Security Policy: Embedded Enforcement	✔	2 hours	1 week