ACTION-1 |
closed |
Find an appropriate way to make available http://www.w3.org/2001/tag/2011/02/security-web.html to the Web App Sec working group |
Brad Hill |
2011-11-07 |
|
ACTION-2 |
closed |
Get brandon CVS access. |
Brad Hill |
2011-11-07 |
|
ACTION-3 |
closed |
Move CSP to CVS from Mercurial. |
Brandon Sterne |
2011-11-07 |
|
ACTION-4 |
closed |
Seek out all old CSP drafts and point them to the new verison |
Brandon Sterne |
2011-11-07 |
|
ACTION-5 |
closed |
Set up a doodle for selecting a time for calls |
Eric Rescorla |
2011-11-07 |
|
ACTION-6 |
closed |
Set up testing mailing list |
Brad Hill |
2011-11-07 |
|
ACTION-7 |
closed |
Set up mecurial repo for test cases |
Brad Hill |
2011-11-07 |
|
ACTION-8 |
closed |
Coordinate with phillipe or mike @ w3c on testing infrastructure |
Brad Hill |
2011-11-07 |
|
ACTION-9 |
closed |
Document interactions between CORS and caching / vary header and best practices |
Adam Barth |
2011-12-13 |
|
ACTION-10 |
closed |
Invite mark miller and tyler close to join WG, comment on UMP |
Brad Hill |
2011-11-07 |
|
ACTION-11 |
closed |
Document content-type header values that influence determination of simple / non-simple CORS request type |
Adam Barth |
2011-12-20 |
|
ACTION-12 |
closed |
Document lack of critical semantics on policy directives, behavior on unknown extensions or new directives |
Adam Barth |
2011-11-07 |
|
ACTION-13 |
closed |
Create a wiki page for soft registrations of directives people are experimenting with |
Adam Barth |
2011-11-07 |
|
ACTION-14 |
closed |
Remove proposed directives and make any urgent editorial by COB tomorrow. |
Brandon Sterne |
2011-11-07 |
|
ACTION-15 |
closed |
And bhill2 to issue a call for comments before an FPWD to last one week tomorrow COB |
Eric Rescorla |
2011-11-07 |
|
ACTION-16 |
closed |
Update the milestones with dates he feels comfortable with |
Anne van Kesteren |
2011-12-13 |
|
ACTION-17 |
closed |
Add 1.1 as an item on the WG page. |
Brad Hill |
2011-11-07 |
|
ACTION-18 |
closed |
Round-trip decision on sandboxing in CSP to WHATWG |
Brad Hill |
2011-11-07 |
|
ACTION-19 |
closed |
Clarify policy applied for html loaded via object tag |
Adam Barth |
2012-01-03 |
ISSUE-8 |
ACTION-20 |
closed |
Liason with widgets activity on policy placeholder for widgets |
Brad Hill |
2012-05-29 |
|
ACTION-21 |
closed |
Update cheat sheet |
Brad Hill |
2011-11-08 |
|
ACTION-22 |
closed |
Take a first cut. |
Brad Hill |
2011-11-08 |
|
ACTION-23 |
closed |
Take a first cut at a use cases document for isolated addressable frames |
Brad Hill |
2011-11-08 |
|
ACTION-24 |
closed |
Draft spec language for sandbox directive |
Adam Barth |
2011-11-29 |
|
ACTION-25 |
closed |
Ping jrossi for feedback on policy-uri directive |
Brad Hill |
2011-11-08 |
|
ACTION-26 |
closed |
Set up mercurial repo for tests and get a simple test for Adam |
Gopal Raghavan |
2011-11-29 |
|
ACTION-27 |
closed |
Start discussion on issue 8 next week |
Adam Barth |
2011-11-29 |
|
ACTION-28 |
closed |
Start discussion on issue 4 next week |
Adam Barth |
2011-11-29 |
|
ACTION-29 |
closed |
Send out CfC for CORS advancement to Last Call to public-webappsec and public-webapps |
Brad Hill |
2011-12-13 |
|
ACTION-30 |
closed |
Test |
Eric Rescorla |
2011-12-13 |
|
ACTION-31 |
closed |
Edit Firefox compatible CSP/Workers interaction into document |
Adam Barth |
2011-12-13 |
|
ACTION-32 |
closed |
Document object tag/HTML interaction (issue 8) as "should be syntax-oriented, not semantics-oriented" |
Brandon Sterne |
2011-12-13 |
|
ACTION-33 |
closed |
Create VirtualBox image for test development |
Brad Hill |
2012-01-15 |
|
ACTION-34 |
closed |
Go through document and check that "first found" policy is clear |
Eric Rescorla |
2012-01-11 |
|
ACTION-35 |
closed |
Add advice for server operators about combining policies |
Adam Barth |
2012-03-13 |
|
ACTION-36 |
closed |
Copy clicking jacking info to wiki and email list |
David Huang |
2012-03-13 |
|
ACTION-37 |
closed |
Email anne wrt proposed additions to security considerations for CORS re: confused deputy |
Brad Hill |
2012-01-10 |
|
ACTION-38 |
closed |
Record that ISPs should not mess with CSP, and if you are worried about this, you should do HTTPS. |
Brandon Sterne |
2012-01-10 |
|
ACTION-39 |
closed |
Incorporate Eric's Action 34 comments into the document |
Adam Barth |
2012-01-24 |
|
ACTION-40 |
closed |
Modify the spec to say that img-src loads which fail due to CSP policy cause errors to be raised (ISSUE-9) |
Adam Barth |
2012-01-24 |
|
ACTION-41 |
closed |
Update the spec per consensus on ISSUE 10 |
Adam Barth |
2012-01-24 |
|
ACTION-42 |
closed |
Confirm on list that we are going to remove request headers (ISSUE 11) |
Adam Barth |
2012-01-24 |
|
ACTION-43 |
closed |
to ask list about URI fragment ids in CSP reports |
Brad Hill |
2012-01-24 |
|
ACTION-44 |
closed |
Poll list on resolution to issue 12 "server should include the origin of the report and keep the original policy text intact, including self" |
Adam Barth |
2012-01-24 |
|
ACTION-45 |
closed |
Reraise whether ISSUE #8 (see also action #18) has been closed with clear enough text |
Brad Hill |
2012-01-24 |
|
ACTION-46 |
closed |
Update CORS Origin header behavior in case of HTTP redirect |
Anne van Kesteren |
2012-02-14 |
|
ACTION-47 |
closed |
Add this |
Adam Barth |
2012-02-21 |
|
ACTION-48 |
closed |
Add referrer field for reporting |
Adam Barth |
2012-02-21 |
|
ACTION-49 |
closed |
Followup on list to http://lists.w3.org/Archives/Public/public-webappsec/2012Feb/0014.html |
Brad Hill |
2012-02-21 |
|
ACTION-50 |
closed |
Start discussion on ISSUE 7 |
Adam Barth |
2012-02-21 |
|
ACTION-51 |
closed |
Review CORS new sec cons language and provide editorial fixes |
Brad Hill |
2012-04-21 |
|
ACTION-52 |
closed |
Email tlr to send CORS to LC |
Brad Hill |
2012-03-06 |
|
ACTION-53 |
closed |
Do straw poll on the list about policy-uri for CSP 1.0/1.1 question |
Eric Rescorla |
2012-03-06 |
|
ACTION-54 |
closed |
Find a new owner for action-35 |
Brad Hill |
2012-03-20 |
|
ACTION-55 |
closed |
Put together F2F agenda proposal for list |
Brad Hill |
2012-03-20 |
|
ACTION-56 |
closed |
Remove policy-uri directive |
Adam Barth |
2012-04-10 |
|
ACTION-57 |
closed |
Cross-post proposal to HTTP and WebSec WG at IETF |
Adam Barth |
2012-04-17 |
|
ACTION-58 |
closed |
Integrate jeffh comments int sec considerations in CORS |
Brad Hill |
2012-05-09 |
|
ACTION-59 |
closed |
Create 1.1 impl by end of week |
Adam Barth |
2012-05-09 |
|
ACTION-60 |
closed |
Write a message to the mailing list describing his proposal for how to handle URLs with paths (truncate to the origin) |
Daniel Veditz |
2012-05-09 |
|
ACTION-61 |
closed |
Merge bhill's policy combination text into the CSP document |
Adam Barth |
2012-05-09 |
|
ACTION-62 |
closed |
400 reponse for EventSource causes infinite polling |
Brad Hill |
2012-05-10 |
|
ACTION-63 |
closed |
400 reponse for EventSource causes infinite polling |
Adam Barth |
2012-05-10 |
|
ACTION-64 |
closed |
Add day 2 minutes from face to face meeting |
Brad Hill |
2012-05-15 |
|
ACTION-65 |
closed |
Put question out to the list. |
Brad Hill |
2012-05-15 |
|
ACTION-66 |
closed |
Add error handling behavior in 1.0 spec |
Adam Barth |
2012-05-15 |
|
ACTION-67 |
closed |
Add a description for how to handle content-type in CSP 1.1 - 06/30/2012 |
Adam Barth |
2012-07-17 |
|
ACTION-68 |
closed |
Coordinate with Giorgi on a draft proposal - 07/2012 |
David Huang |
2012-05-15 |
|
ACTION-69 |
closed |
Check on W3C process on referring to HTML5 |
Brad Hill |
2012-06-12 |
|
ACTION-70 |
closed |
Review history of CORS comments from bhill/jeffh and make recommendations |
Adam Barth |
2012-07-03 |
|
ACTION-71 |
closed |
Review history of CORS comments from bhill/member:jeffh and make recommendations |
Eric Rescorla |
2012-07-03 |
|
ACTION-72 |
closed |
To review history of CORS comments from bhill/member:jeffh and make recommendations |
Daniel Veditz |
2012-07-03 |
|
ACTION-73 |
closed |
Start cross-IETF/W3C discussion on XFO/FO/UI Safety |
Brad Hill |
2012-07-10 |
|
ACTION-74 |
closed |
check with W3C contact re: mailing list issues and delivery |
Brad Hill |
2012-07-24 |
|
ACTION-75 |
closed |
Liason with DeviceAPI group re: CSP as policy framework for mobile least privilege |
Brad Hill |
2012-07-24 |
|
ACTION-76 |
closed |
Are any features of CORS at-risk due to only one implementation? |
Gopal Raghavan |
2012-09-04 |
|
ACTION-77 |
closed |
Set up ccarson as CORS editor |
Brad Hill |
2012-09-04 |
|
ACTION-78 |
closed |
Issue CfC for CSP 1.0 to CR, Call for Impls |
Brad Hill |
2012-09-04 |
|
ACTION-79 |
closed |
Issue CfC for CORS to CR, Call for Impls |
Brad Hill |
2012-09-04 |
|
ACTION-80 |
closed |
Invite Tobias Gondrom as Invited Expert for frame-options work |
Brad Hill |
2012-09-18 |
|
ACTION-81 |
closed |
Incorporate editorial suggestions in ISSUE-16 |
Adam Barth |
2012-09-18 |
|
ACTION-82 |
closed |
Respond to ingo chao on official WG position re: csp policies for add-on modifications to resources |
Brad Hill |
2012-11-08 |
|
ACTION-83 |
closed |
Update port numbers on apache for test vm; 80-83 |
Brad Hill |
2013-02-26 |
|
ACTION-84 |
closed |
Create acceptance tests for section 5 |
Gopal Raghavan |
2012-11-08 |
|
ACTION-85 |
closed |
Create acceptance tests for section 6 |
Gopal Raghavan |
2012-11-08 |
|
ACTION-86 |
closed |
Create acceptance tests for section 7 |
Gopal Raghavan |
2012-11-08 |
|
ACTION-87 |
closed |
Fix transient CORS test failures due to caching behavior |
Odin Hørthe Omdal |
2012-11-08 |
|
ACTION-88 |
closed |
Talk to annevk and clarify UA behavior on section 6.2 if resource asks for credentials and gives * to preflight |
Brad Hill |
2012-11-08 |
|
ACTION-89 |
closed |
Rewrite abnf production of frame-options to have deny alternating with top-only and ancestor versions |
Brad Hill |
2012-11-08 |
|
ACTION-90 |
closed |
Sync up with David Ross and Eric Lawrence on XFO justification for ALLOW-FROM single origin restriction |
Brad Hill |
2012-11-08 |
|
ACTION-91 |
closed |
Propose testing day as part of joint HTML/WebApps/WebAppSec F2F in silicon valley to list |
Brad Hill |
2012-11-09 |
|
ACTION-92 |
closed |
Propose spec text to resolve ISSUE-32 |
Daniel Veditz |
2012-11-09 |
ISSUE-32 |
ACTION-93 |
closed |
Query list if any use cases for reportURIs script interface |
Mike West |
2012-11-09 |
|
ACTION-94 |
closed |
Add specificity to CSP 1.1 draft that script access queries ONLY state of CSP, not general reachability of URLs by configured browser context |
Mike West |
2012-11-09 |
|
ACTION-95 |
closed |
Correct "font-src" typo in the form-action text of CSP 1.1 |
Mike West |
2012-11-09 |
|
ACTION-96 |
closed |
Add note clarifying that form-action is not subject to default-src fallback |
Mike West |
2012-11-09 |
|
ACTION-97 |
closed |
Propose spec language for policy-uri directive |
Daniel Veditz |
2013-05-25 |
|
ACTION-98 |
closed |
Propose spec text for experimental jsonp-src jsonp-sink directives |
Brad Hill |
2012-11-09 |
|
ACTION-99 |
closed |
Fold X-XSS-Protection into CSP 1.1. |
Mike West |
2012-11-24 |
|
ACTION-100 |
closed |
get Zakim back in sync with time of call |
Brad Hill |
2012-11-27 |
|
ACTION-101 |
closed |
Follow up with Mike Smith at w3c on test server config, re: Options headers, etc. |
Brad Hill |
2013-02-26 |
|
ACTION-102 |
closed |
Write up strawman for event on violation of CSP, coordinate w/dveditz |
Mike West |
2012-12-11 |
|
ACTION-103 |
closed |
Follow up on http://lists.w3.org/Archives/Public/public-webappsec/2012Nov/0096.html and solicit new proposals, suggest unsafe attribute |
Brad Hill |
2012-12-11 |
|
ACTION-104 |
closed |
Follow up with Goog A11Y and UI teams on disabling browser features (UISafety obstruction check) for A11Y compatibility |
Adam Barth |
2013-01-29 |
|
ACTION-105 |
closed |
Change short name from UI Safety to UI Security on next WD publication |
Brad Hill |
2013-02-27 |
|
ACTION-106 |
closed |
Add some non-normative examples of how multiple headers/meta tags interact to tighten the effective policy. |
Mike West |
2013-01-05 |
|
ACTION-107 |
closed |
Investigate assistive technologies use of real or synthetic events |
Brad Hill |
2013-01-22 |
ISSUE-21 |
ACTION-108 |
closed |
to query list on whether default UI Security hueristic behavior should be block or report |
Brad Hill |
2013-01-22 |
ISSUE-20 |
ACTION-109 |
closed |
Add spec language to CSP 1.1 regarding certain directives not honored in META |
Daniel Veditz |
2013-05-25 |
ISSUE-26 |
ACTION-110 |
closed |
Clarify that frame-options not allowed in META, reference relative to CSP 1.1 spec |
Brad Hill |
2013-01-22 |
ISSUE-25 |
ACTION-111 |
closed |
Provide guidance on efficient enforcment of display-time |
Giorgio Maone |
2013-01-22 |
ISSUE-27 |
ACTION-112 |
closed |
Raise issue 29 on public-webappsec list for further discussion |
Giorgio Maone |
2013-01-22 |
ISSUE-29 |
ACTION-113 |
closed |
Chase specs and references for URL/URI definition used in CSP 1.1 |
Adam Barth |
2013-01-22 |
ISSUE-31 |
ACTION-114 |
closed |
Assign actions for issues 34, 35, 36, 37, 38, 39 to abarth |
Brad Hill |
2013-01-22 |
|
ACTION-115 |
pending review |
Make proposal on handling of srcdoc, blob, etc. (ISSUE-15) |
Adam Barth |
2013-05-07 |
SRCDOC, BLOB, ETC |
ACTION-116 |
closed |
Update CSP 1.1 spec to indicate violation type for default-src violations |
Mike West |
2013-02-05 |
|
ACTION-117 |
closed |
Mention HSTS in implementation note as a reason things might stop working |
Mike West |
2013-02-05 |
|
ACTION-118 |
closed |
Email list on UISecurity issue 2 - multiple values for Frame-Options ALLOW FROM |
Brad Hill |
2013-02-05 |
|
ACTION-119 |
closed |
Update CSP 1.1 to indicate line number reports for in-line scripts |
Mike West |
2013-02-05 |
|
ACTION-120 |
closed |
Propose language to spec to explain how custom elements are handled (see issue 43) |
Adam Barth |
2013-02-19 |
|
ACTION-121 |
closed |
Email the list with the generic src-nonce proposal (i.e., not specifically for each thing that could be srced) |
Mike West |
2013-05-07 |
|
ACTION-122 |
closed |
Remove obsolete language for XFO in UI Security draft |
Brad Hill |
2013-03-05 |
|
ACTION-123 |
closed |
Bring the CORS 2xx issue up on list and specifically with Anne |
Brad Hill |
2013-04-02 |
|
ACTION-124 |
closed |
Create test cases for CORS and 2xx, 4xx, 5xx status codes |
Brad Hill |
2013-04-02 |
|
ACTION-125 |
closed |
Investigate WHATWG spec text vs RFC 3986 for normalization in CSP |
Mike West |
2013-04-02 |
|
ACTION-126 |
closed |
Propose urlencoded mime type solution for cross-origin JSON to list |
Brad Hill |
2013-04-02 |
|
ACTION-127 |
closed |
Add one-way mutability to policy points exposed in script interface |
Mike West |
2013-11-05 |
|
ACTION-128 |
closed |
Raise intersection of meta and header policies on list |
Brad Hill |
2013-05-02 |
CSP Level 2 |
ACTION-129 |
closed |
Research and propose spec text for applying plugin-types to iframes |
Adam Barth |
2013-05-25 |
CSP Level 2 |
ACTION-130 |
closed |
Draft text on referer control policy |
Mike West |
2013-05-25 |
CSP Level 2 |
ACTION-131 |
closed |
Write a problem statement exploring the space of mixed content specifications |
Brad Hill |
2013-05-02 |
|
ACTION-132 |
closed |
Write a problem statement exploring the space of HTML templating / safe HTML |
Brad Hill |
2013-05-02 |
|
ACTION-133 |
closed |
better specify XPath reporting in UI Security |
Brad Hill |
2013-05-07 |
UI Security |
ACTION-134 |
closed |
report dependencies on event types |
Brad Hill |
2013-05-25 |
UI Security |
ACTION-135 |
closed |
Promote the security model documentation project |
Thomas Roessler |
2013-05-03 |
|
ACTION-136 |
closed |
Issue CfC to list on new WD publication of CSP 1.1 |
Adam Barth |
2013-05-14 |
|
ACTION-137 |
closed |
Query list whether CORS HTTP auth should re-open spec |
Brad Hill |
2013-05-14 |
|
ACTION-138 |
closed |
Update csp report content-type to application/csp-report or similar |
Adam Barth |
2013-05-14 |
|
ACTION-139 |
closed |
Add HTTP response code to reports in CSP 1.1 |
Adam Barth |
2013-06-11 |
|
ACTION-140 |
closed |
Add text addressing https://www.w3.org/Bugs/Public/show_bug.cgi?id=22256 |
Adam Barth |
2013-06-11 |
|
ACTION-141 |
open |
CSP Next: Update default-src language to be more future-proof |
Mike West |
2015-01-31 |
CSP Level 3 |
ACTION-142 |
closed |
Email bhill, ekr, and tobie re github setup |
Wendy Seltzer |
2013-06-11 |
|
ACTION-143 |
closed |
CSP Level 2: change error handling behavior for loading blocked resources |
Mike West |
2014-07-31 |
CSP Level 2 |
ACTION-144 |
open |
CSP Next: Propose text on layering of fetch context types with CSP directives |
Mike West |
2015-01-31 |
CSP Level 3 |
ACTION-145 |
closed |
Update nonce-value directive to allow b64, b64url chars, specify minimum length of 1 |
Adam Barth |
2013-07-09 |
|
ACTION-146 |
closed |
Respond to list, propose setting worker policy from header rather than inheriting it |
Daniel Veditz |
2013-07-09 |
|
ACTION-147 |
closed |
Propose updated hash source text to list addressing http://lists.w3.org/Archives/Public/public-webappsec/2013Jul/0004.html |
Neil Matatall |
2013-07-23 |
|
ACTION-148 |
closed |
Get patent release on referer control proposal from lafs authors |
Brad Hill |
2013-08-20 |
|
ACTION-149 |
closed |
Document proposal of simply excluding blob:, data:, etc from matching * everywhere, no explicit tie to unsafe-eval |
Daniel Veditz |
2013-10-22 |
|
ACTION-150 |
closed |
Post a cfc to the list on closing the csp 1.1 feature set |
Brad Hill |
2013-09-17 |
|
ACTION-151 |
closed |
to provide text to list about interaction btwn extensions and csp is |
Mike West |
2013-11-05 |
|
ACTION-152 |
closed |
CSP 2: Update csp to make unsafe-inline, unsafe-eval universal constructs |
Mike West |
2014-07-31 |
CSP Level 2 |
ACTION-153 |
closed |
Propose more precise text for child-src directive idea |
Brad Hill |
2014-08-26 |
CSP Level 3 |
ACTION-154 |
closed |
Propose more precise language for directives for shared worker |
Brad Hill |
2013-11-26 |
|
ACTION-155 |
pending review |
Update csp to reflect that workers use policy resource is delivered with |
Mike West |
2013-11-26 |
|
ACTION-156 |
pending review |
CSP: Clarify plugin-src behavior: if able to determine resource, self or none |
Mike West |
2014-11-01 |
CSP Level 2 |
ACTION-157 |
closed |
Cancel dec 31st call |
Brad Hill |
2013-12-10 |
|
ACTION-158 |
closed |
Raise frame-options vs. frame-ancestors name on ietf websec list |
Brad Hill |
2013-12-10 |
|
ACTION-159 |
closed |
Respond to list re: consensus that applying hash/nonce to inline handlers not desired as a 1.1 feature |
Neil Matatall |
2013-12-24 |
|
ACTION-160 |
closed |
Reply to jonas sicking on list re: cascade of style-src to font-src |
Brad Hill |
2013-12-24 |
|
ACTION-161 |
closed |
Abandon cfc on uisecurity to lcwd for now |
Brad Hill |
2013-12-24 |
|
ACTION-162 |
closed |
Propose to list text on form-action vs. connect-src re: sending data vs. receiving it |
Brad Hill |
2014-02-05 |
|
ACTION-163 |
closed |
Give language on how frame-ancestors interacts with xfo |
Brad Hill |
2014-02-05 |
|
ACTION-164 |
open |
CSP Next: Integrate mnot's cookie scope proposal. |
Mike West |
2015-01-31 |
CSP Level 3 |
ACTION-165 |
closed |
Open sri issues in tracker from spec text |
Brad Hill |
2014-03-19 |
|
ACTION-166 |
open |
to add an explicit "privacy considerations" section to sri |
Mike West |
2014-03-19 |
Subresource Integrity Level 1 |
ACTION-167 |
open |
Respond to list queries about hints for content-addressable storage |
Devdatta Akhawe |
2014-05-30 |
Subresource Integrity Level 1 |
ACTION-168 |
closed |
Raise to the list handling of csp associated with installed apps as possible spec note |
Brad Hill |
2014-04-16 |
CSP Level 2 |
ACTION-169 |
open |
Read and respond to use of sri hashes for caching/alternate locations: http://lists.w3.org/archives/public/public-webappsec/2014mar/0103.html |
Devdatta Akhawe |
2014-05-30 |
Subresource Integrity Level 1 |
ACTION-170 |
closed |
Arrange some joint meeting time with svg wg |
Brad Hill |
2014-04-30 |
|
ACTION-171 |
closed |
Propose text to list on issue-58 |
Brad Hill |
2014-04-30 |
CSP Level 2 |
ACTION-172 |
open |
Review servicewoker issues relevant to csp from github |
Mike West |
2015-01-31 |
CSP Level 3 |
ACTION-173 |
closed |
Talk with plh about fetch and csp, invite conversation with webappsec |
Wendy Seltzer |
2014-05-14 |
|
ACTION-174 |
closed |
Raise frame-ancestors/fetch/neterror on list |
Mike West |
2014-11-03 |
CSP Level 2 |
ACTION-175 |
closed |
Post tpac dates to list for next f2f |
Brad Hill |
2014-05-14 |
|
ACTION-176 |
closed |
Post a redux and cfc on options for resolving the redirects/paths/reporting issue in csp 1.1 |
Brad Hill |
2014-06-11 |
|
ACTION-177 |
closed |
Send a cfc to adopt mixed content draft as a wg product |
Brad Hill |
2014-06-25 |
|
ACTION-178 |
closed |
Update csp 1.0 extensions language for pr to match 1.1 lcwd text |
Brad Hill |
2014-11-25 |
CSP Level 1 |
ACTION-179 |
closed |
Investigate duration of lc for csp 1.1 |
Brad Hill |
2014-06-25 |
|
ACTION-180 |
closed |
Document that user-set prefs regarding referrers override csp-set policies |
Mike West |
2014-06-25 |
|
ACTION-181 |
open |
Suggest more clear use case and language around exact behavior for noncanonical-src |
Brad Hill |
2014-11-17 |
Subresource Integrity Level 1 |
ACTION-182 |
open |
Make sure blob origin is discussed further on list |
Brad Hill |
2014-11-17 |
CSP Level 3 |
ACTION-183 |
closed |
Add language that user-agent may decline to send reports for priority of constituency reasons and still be conforming |
Mike West |
2014-07-09 |
CSP Level 2 |
ACTION-184 |
closed |
Make sure the spec says frame-ancestors uses the origin rather than the url |
Mike West |
2014-07-23 |
CSP Level 2 |
ACTION-185 |
closed |
Make sure that frame-ancestors is relative to origin, not url and without path components |
Brad Hill |
2014-07-23 |
CSP Level 2 |
ACTION-186 |
open |
Do more research on preventing 401 attach http://lists.w3.org/archives/public/public-webappsec/2014aug/0016.html |
Brad Hill |
2015-01-31 |
CSP Level 3 |
ACTION-187 |
closed |
Reconsider call time |
Brad Hill |
2014-09-17 |
|
ACTION-188 |
open |
Evaluate json-src |
Mike West |
2015-01-31 |
CSP Level 3 |
ACTION-189 |
open |
Evaluate script-ancestors |
Mike West |
2015-01-31 |
CSP Level 3 |
ACTION-190 |
open |
Is reflected-xss directive at risk? |
David Walp |
2014-11-03 |
ISSUE-62 |
ACTION-191 |
closed |
Inconsistency in source hash description |
Mike West |
2014-11-03 |
CSP Level 2 |
ACTION-192 |
open |
Evaluate control over nesting depth. |
Mike West |
2014-11-03 |
CSP Level 3 |
ACTION-193 |
closed |
Respond to Brian Smith on referrer-policy |
Brad Hill |
2014-11-03 |
|
ACTION-194 |
closed |
Respond to Hatter Jiang on 401 attach |
Brad Hill |
2014-11-03 |
CSP Level 2 |
ACTION-195 |
closed |
Respond to Hatter Jiang on JSONP directives - under consideration for v.Next |
Brad Hill |
2014-11-03 |
|
ACTION-196 |
closed |
Remove intranet/internet section from Mixed Content spec |
Mike West |
2014-11-03 |
Mixed Content |
ACTION-197 |
closed |
Schedule an ad-hoc at TPAC 2014 (+wseltzer, +plh, +robin, +tbl?) |
Brad Hill |
2014-10-28 |
|
ACTION-198 |
open |
Take bookmarklets discussion back to the list |
Brad Hill |
2014-11-17 |
CSP Level 3 |
ACTION-199 |
open |
Keep topic of internet/intranet connectivity and https on the w3c radar |
Wendy Seltzer |
2014-11-03 |
|
ACTION-200 |
pending review |
Investigate git issue tooling with other w3c groups |
Brad Hill |
2014-11-24 |
|
ACTION-201 |
closed |
Add permissions api to draft charter |
Brad Hill |
2014-11-24 |
|
ACTION-202 |
closed |
Issue cfc on new draft charter |
Brad Hill |
2014-11-24 |
|
ACTION-203 |
closed |
Raise issue for sri large object /streaming integrity |
Brad Hill |
2014-11-24 |
|
ACTION-204 |
pending review |
Reply to mark watson that 1/2 of his issue is a last call comment to mix |
Brad Hill |
2014-11-24 |
|
ACTION-205 |
pending review |
Does link really violate csp guarantees? |
Brad Hill |
2014-11-24 |
|
ACTION-206 |
pending review |
Reply on referrer suggest imperative policy controls in serviceworker |
Brad Hill |
2014-11-24 |
|
ACTION-207 |
open |
Raise definition of sandboxed worker in html spec |
Brad Hill |
2014-11-24 |
|
ACTION-208 |
closed |
Take charter to w3m for review |
Wendy Seltzer |
2014-12-22 |
|
ACTION-209 |
open |
Ask open data/linked data groups for info on data publishing for use in secure context |
Wendy Seltzer |
2015-01-19 |
|
ACTION-210 |
open |
Move sri bugs in bugzilla to github |
Brad Hill |
2015-01-19 |
|
ACTION-211 |
open |
Ask github if they prefer fail open / closed on unknown hashes |
Brad Hill |
2015-01-19 |
|
ACTION-212 |
open |
Issue cfc to take mixed content to cr |
Brad Hill |
2015-02-16 |
|
ACTION-213 |
open |
Reply to brian smith re: csp2 to cr |
Brad Hill |
2015-02-16 |
|
ACTION-214 |
closed |
Ask mozilla ac rep about the current status of their charter objections |
Wendy Seltzer |
2015-03-02 |
|
ACTION-215 |
open |
Schedule conversation with web platform wg chairs and webappsec re csp3 |
Wendy Seltzer |
2016-01-15 |
|
ACTION-216 |
closed |
Examine fetch refs for stability |
Wendy Seltzer |
2016-04-27 |
|
ACTION-217 |
closed |
Ask tag for feedback on secure contexts |
Wendy Seltzer |
2016-05-23 |
|
ACTION-218 |
open |
And dveditz to send call for wide review for referrer policy |
Mike West |
2017-11-13 |
|
ACTION-219 |
open |
And dveditz to send call for wide review for secure contexts |
Mike West |
2017-11-13 |
|
ACTION-220 |
open |
File issue on the spec to match firefox behavior |
Daniel Veditz |
2017-11-13 |
|
ACTION-221 |
open |
Figure out new syntax and send to the list |
Mike West |
2017-11-13 |
|
ACTION-222 |
open |
Take a stab a specifying a cors switch "retry without creds on failure" |
Mike West |
2017-11-14 |
|