Input for Agenda Planning for the Web Application Security Working Group

This is the view of actions grouped by issues ordered by due dates; see also the view of issues groups by products.

Action Items Pending Review

There are 7 pending review actions.

ID State Title Person Due Date Associated with
ACTION-115 (edit) pending review Make proposal on handling of srcdoc, blob, etc. (ISSUE-15) Adam Barth 2013-05-07 SRCDOC, BLOB, ETC
ACTION-155 (edit) pending review Update csp to reflect that workers use policy resource is delivered with Mike West 2013-11-26
ACTION-156 (edit) pending review CSP: Clarify plugin-src behavior: if able to determine resource, self or none Mike West 2014-11-01 CSP Level 2
ACTION-200 (edit) pending review Investigate git issue tooling with other w3c groups Brad Hill 2014-11-24
ACTION-204 (edit) pending review Reply to mark watson that 1/2 of his issue is a last call comment to mix Brad Hill 2014-11-24
ACTION-205 (edit) pending review Does link really violate csp guarantees? Brad Hill 2014-11-24
ACTION-206 (edit) pending review Reply on referrer suggest imperative policy controls in serviceworker Brad Hill 2014-11-24

Overdue action items

There are 28 overdue actions.

ID State Title Person Due Date Associated with
ACTION-141 (edit) open CSP Next: Update default-src language to be more future-proof Mike West 2015-01-31 CSP Level 3
ACTION-144 (edit) open CSP Next: Propose text on layering of fetch context types with CSP directives Mike West 2015-01-31 CSP Level 3
ACTION-164 (edit) open CSP Next: Integrate mnot's cookie scope proposal. Mike West 2015-01-31 CSP Level 3
ACTION-166 (edit) open to add an explicit "privacy considerations" section to sri Mike West 2014-03-19 Subresource Integrity Level 1
ACTION-167 (edit) open Respond to list queries about hints for content-addressable storage Devdatta Akhawe 2014-05-30 Subresource Integrity Level 1
ACTION-169 (edit) open Read and respond to use of sri hashes for caching/alternate locations: Devdatta Akhawe 2014-05-30 Subresource Integrity Level 1
ACTION-172 (edit) open Review servicewoker issues relevant to csp from github Mike West 2015-01-31 CSP Level 3
ACTION-181 (edit) open Suggest more clear use case and language around exact behavior for noncanonical-src Brad Hill 2014-11-17 Subresource Integrity Level 1
ACTION-182 (edit) open Make sure blob origin is discussed further on list Brad Hill 2014-11-17 CSP Level 3
ACTION-186 (edit) open Do more research on preventing 401 attach Brad Hill 2015-01-31 CSP Level 3
ACTION-188 (edit) open Evaluate json-src Mike West 2015-01-31 CSP Level 3
ACTION-189 (edit) open Evaluate script-ancestors Mike West 2015-01-31 CSP Level 3
ACTION-190 (edit) open Is reflected-xss directive at risk? David Walp 2014-11-03 ISSUE-62
ACTION-192 (edit) open Evaluate control over nesting depth. Mike West 2014-11-03 CSP Level 3
ACTION-198 (edit) open Take bookmarklets discussion back to the list Brad Hill 2014-11-17 CSP Level 3
ACTION-199 (edit) open Keep topic of internet/intranet connectivity and https on the w3c radar Wendy Seltzer 2014-11-03
ACTION-207 (edit) open Raise definition of sandboxed worker in html spec Brad Hill 2014-11-24
ACTION-209 (edit) open Ask open data/linked data groups for info on data publishing for use in secure context Wendy Seltzer 2015-01-19
ACTION-210 (edit) open Move sri bugs in bugzilla to github Brad Hill 2015-01-19
ACTION-211 (edit) open Ask github if they prefer fail open / closed on unknown hashes Brad Hill 2015-01-19
ACTION-212 (edit) open Issue cfc to take mixed content to cr Brad Hill 2015-02-16
ACTION-213 (edit) open Reply to brian smith re: csp2 to cr Brad Hill 2015-02-16
ACTION-215 (edit) open Schedule conversation with web platform wg chairs and webappsec re csp3 Wendy Seltzer 2016-01-15
ACTION-218 (edit) open And dveditz to send call for wide review for referrer policy Mike West 2017-11-13
ACTION-219 (edit) open And dveditz to send call for wide review for secure contexts Mike West 2017-11-13
ACTION-220 (edit) open File issue on the spec to match firefox behavior Daniel Veditz 2017-11-13
ACTION-221 (edit) open Figure out new syntax and send to the list Mike West 2017-11-13
ACTION-222 (edit) open Take a stab a specifying a cors switch "retry without creds on failure" Mike West 2017-11-14

Action items due next week

There are 0 upcoming actions.

Issues discussed over the last week

There are 0 recently discussed issues listed in the system.

Raised Issues

There are 8 raised issues listed in the system.

ID State Title Raised on Product Open Actions
ISSUE-65 (edit) RAISED Does "no referrer" specify a state or is it a token? is a token with a space problematic? 2014-08-27 Referrer Policy 0
ISSUE-66 (edit) RAISED No-external-navigation as potential csp3 feature 2014-08-27 CSP Level 3 0
ISSUE-69 (edit)
Overt channel control in CSP
RAISED Consider directives to manage postMessage and external navigation of iframes 2014-10-28 CSP Level 3 0
ISSUE-70 (edit)
Using ni:/// as CSP source
RAISED Investigate using ni:/// as a CSP source expression 2014-11-04 CSP Level 3 0
ISSUE-71 (edit)
JSONP directives
RAISED Consider directives in CSP Level 3 to reduce attack surface of legacy JSONP interaces 2014-11-04 CSP Level 3 0
ISSUE-72 (edit)
Streaming Integrity
RAISED How to apply integrity verification to large / streaming downloads 2014-11-17 Subresource Integrity Level 2 0
ISSUE-73 (edit)
CSP path matching
RAISED Consider allowing relative paths (to 'self') in source productions 2014-12-30 CSP Level 3 0
ISSUE-74 (edit)
plugin-types 'none'
RAISED allow explicitly setting the 'none' keyword source for plugin-type directive 2014-12-30 CSP Level 3 0

Pending Review Issues

The following issues are candidate for closing.

There are 4 pending review issues listed in the system.

ID State Title Raised on Product Open Actions
ISSUE-5 (edit) PENDING REVIEW Is covering identical UI with different effects in-scope? e.g. "like" button that doesn't indicate what you're liking 2011-11-01 UI Security 0
ISSUE-22 (edit) PENDING REVIEW Are there cases of synthetic UIEvents where it would be useful to set the unsafe attribute even if the policy is block (so event is not delivered) 2012-11-01 UI Security 0
ISSUE-28 (edit) PENDING REVIEW What specific attacks are prevented by OS screenshots, should this be recommended against generally? 2012-11-01 UI Security 0
ISSUE-29 (edit) PENDING REVIEW What are sane defaults for clipping with clipping or selectors? 2012-11-01 UI Security 0

Daniel Veditz <>, Mike West <>, Chairs, Wendy Seltzer <>, Samuel Weiler <>, Staff Contacts
Tracker: documentation, (configuration for this group), originally developed by Dean Jackson, is developed and maintained by the Systems Team <>.
$Id: agenda.html,v 1.1 2020/01/17 08:51:03 carcone Exp $