Apply the following changes to selected issues:

There are 74 issues listed in the system.

ID State Title Raised on Product Open Actions
ISSUE-1 (edit) CLOSED Harmonize header spec with OWS / new definitions in HTTP work @ IETF 2011-10-31 CORS 0
ISSUE-2 (edit) CLOSED Check for simple/standard request needs to check what the value of content-type header is to determine CORS request type 2011-10-31 CORS 0
ISSUE-3 (edit) CLOSED How to handle directives that are not understood in v 1.0 2011-10-31 CSP Level 1 0
ISSUE-4 (edit) CLOSED Solicit for input on policy intersection / conflict resolution 2011-10-31 CSP Level 1 0
ISSUE-5 (edit) PENDING REVIEW Is covering identical UI with different effects in-scope? e.g. "like" button that doesn't indicate what you're liking 2011-11-01 UI Security 0
ISSUE-6 (edit)
CLOSED Should the sandbox directive be part of CSP 1.0? 2011-11-03 CSP Level 1 0
ISSUE-7 (edit)
CLOSED Should the policy-uri directive be in CSP 1.0? 2011-11-03 CSP Level 1 0
ISSUE-8 (edit) CLOSED Identify proper behavior for html added via plugins / object tag 2011-11-22 CSP Level 1 0
ISSUE-9 (edit) CLOSED Should the user agent fire the error event when an img-src load fails? 2012-01-17 CSP Level 1 0
ISSUE-10 (edit) CLOSED Processing model for object element and frame-src directive 2012-01-17 CSP Level 1 0
ISSUE-11 (edit)
Violation report privacy
CLOSED Violation report privacy issues 2012-01-17 CSP Level 1 0
ISSUE-12 (edit) CLOSED Should 'self' be required to be replaced by explict host in reports? 2012-01-17 CSP Level 1 0
ISSUE-13 (edit)
URI Fragments in 1.1
CLOSED Optionally include URI fragments in violation reports for v1.1 2012-02-14 CSP Level 1 0
ISSUE-14 (edit)
META tag for CSP
CLOSED Investigate whether to keep the META tag for CSP 2012-03-13 CSP Level 1 0
ISSUE-15 (edit)
CLOSED How to handle srcdoc, blob:, di: and ways of directly creating content 2012-07-03 CSP Level 2 0
ISSUE-16 (edit)
CSP informs client, cannot restrict it
CLOSED Editorial: CSP cannot dictate client behavior, only inform it 2012-09-11 CSP Level 1 0
ISSUE-17 (edit)
Extension compat
CLOSED CSP should take into account extensions which modify content 2012-09-11 CSP Level 1 0
ISSUE-18 (edit)
CSP as risk assessment score
CLOSED Use CSP to report app risk and compatibility with user specified restrictions 2012-09-11 CSP Level 1 0
ISSUE-19 (edit)
Interaction of CSP and IRIs
CLOSED How are non-ASCII characters handled in CSP 2012-09-11 CSP Level 1 0
ISSUE-20 (edit) CLOSED If browsers apply UI Security heuristic without an explicit opt-in policy, should we always block and not have the unsafe UIEvent property 2012-11-01 UI Security 0
ISSUE-21 (edit) POSTPONED Do assistive technologies send real events or synthetic events? 2012-11-01 UI Security 0
ISSUE-22 (edit) PENDING REVIEW Are there cases of synthetic UIEvents where it would be useful to set the unsafe attribute even if the policy is block (so event is not delivered) 2012-11-01 UI Security 0
ISSUE-23 (edit) CLOSED Are there cases of synthetic UIEvents where it would be useful to set the unsafe attribute even if the policy is block so event is not delivered 2012-11-01 0
ISSUE-24 (edit) CLOSED (); 2012-11-01 0
ISSUE-25 (edit) CLOSED Do frame-options directives (or other UISafety directives) make sense in a meta tag context? 2012-11-01 UI Security 0
ISSUE-26 (edit) CLOSED Does the sandbox directive make sense in a meta tag context? 2012-11-01 CSP Level 2 0
ISSUE-27 (edit) CLOSED Implementation concern on how to enforce display-time : should we provide more advice on how to do this efficiently? 2012-11-01 UI Security 0
ISSUE-28 (edit) PENDING REVIEW What specific attacks are prevented by OS screenshots, should this be recommended against generally? 2012-11-01 UI Security 0
ISSUE-29 (edit) PENDING REVIEW What are sane defaults for clipping with clipping or selectors? 2012-11-01 UI Security 0
ISSUE-30 (edit) CLOSED How to address dynamic application of CSP post page load / partial page load via META or script interface 2012-11-02 CSP Level 2 0
ISSUE-31 (edit) CLOSED What specification's definition of URL/URI are we using for path parsing in CSP 1.1? 2012-11-02 CSP Level 2 0
ISSUE-32 (edit) CLOSED Do we specify that path-specificity applies only to hierarchical URI schemes? 2012-11-02 CSP Level 2 0
ISSUE-33 (edit) CLOSED Need to address blob, data, filesystem URL types with greater specificity in CSP 1.1 spec 2012-11-02 CSP Level 2 0
ISSUE-34 (edit) OPEN Discuss use cases / risks of script access to CSP information, solicit specific public comment on this feature with FPWD 2012-11-02 CSP Level 3 0
ISSUE-35 (edit) CLOSED Should we add an "httpOnly" like directive to CSP to indicate that the state of this policy is not available to the script APIs? 2012-11-02 CSP Level 2 0
ISSUE-36 (edit) CLOSED hash as a source expression for csp 1.1 2012-11-02 CSP Level 2 0
ISSUE-37 (edit) CLOSED How to apply plugin-types in CSP 1.1 to iframes 2012-11-02 CSP Level 2 0
ISSUE-38 (edit) CLOSED Discuss no-mixed-content further as a 1.1 experimental directive 2012-11-02 CSP Level 2 0
ISSUE-39 (edit) CLOSED Discuss CSP relevant use cases for possibly including Meta Referrer as a CSP directive 2012-11-02 CSP Level 2 0
ISSUE-40 (edit)
CLOSED Look at incorporating X-XSS-Protection functionality into CSP 1.1 2012-11-08 CSP Level 2 0
ISSUE-41 (edit)
CSP and malicious extensions
CLOSED CSP does not protect against malicious extensions 2012-12-19 CSP Level 1 0
ISSUE-42 (edit)
CSS Nonce
CLOSED Script-nonce allows inline script, similar treatment for inline css? 2013-02-01 CSP Level 2 0
ISSUE-43 (edit)
Custom Elements in CSP 1.1
CLOSED How are custom elements handled in CSP 1.1? 2013-02-01 CSP Level 2 0
ISSUE-44 (edit) OPEN Same-origin policy identity query via script-hash. issue is you do a third party inline script with a known script-hash. if it succeeds, you know that the target was as expected, even though you can't read it 2013-02-26 Subresource Integrity Level 1 0
ISSUE-45 (edit)
CLOSED Is 'top-only' worth preserving? 2013-03-05 UI Security 0
ISSUE-46 (edit)
Does nonce make CSP header security-sensitive
CLOSED Does inclusion of things like nonce make CSP a sensitive header? 2013-04-25 CSP Level 2 0
ISSUE-47 (edit) CLOSED Revisit combinations of header and meta tags 2013-04-25 CSP Level 2 0
ISSUE-48 (edit)
base uri
CLOSED injection of a <base> tag to change effective location of relative resources 2013-04-25 CSP Level 2 0
ISSUE-49 (edit) CLOSED add http response code to report? 2013-04-25 CSP Level 2 0
ISSUE-50 (edit) CLOSED plugin-type directive and media source list for IE CLSID guids 2013-04-25 CSP Level 2 0
ISSUE-51 (edit) CLOSED How to handle externally defined <element> with <link rel=import> 2013-04-25 0
ISSUE-52 (edit)
unsafe DOM API
CLOSED unsafe attribute requires every handler to check 2013-04-25 UI Security 0
ISSUE-53 (edit)
UI Security model for composited drawing models
CLOSED UI Security model for composited drawing models 2013-04-26 UI Security 0
ISSUE-54 (edit)
uri vs url
CLOSED policy-uri vs. policy-url, (also report, etc.) 2013-07-02 CSP Level 2 0
ISSUE-55 (edit)
input-protection and seamless iframes
CLOSED How to handle seamless flag for input-protection policies? 2013-10-31 UI Security 0
ISSUE-56 (edit)
child src navigation
CLOSED Should we restrict subsequent navigation within child-src? 2014-01-14 CSP Level 2 0
ISSUE-57 (edit) OPEN Do we want to control popups, if so, how? 2014-02-10 CSP Level 3 0
ISSUE-58 (edit)
Late binding of CSP
CLOSED Late binding of CSP policies 2014-04-08 CSP Level 2 0
ISSUE-59 (edit)
SVG rules for CSP
CLOSED Figure out how to use CSP appropriately with SVG modes 2014-04-23 CSP Level 2 0
ISSUE-60 (edit)
CLOSED Injecting META tags can be an interesting bypass technique, possibly 2014-04-23 CSP Level 3 0
ISSUE-61 (edit) CLOSED Should we mark referrer and reflected-xss as at risk in csp 1.1 lcwd? 2014-06-18 0
ISSUE-62 (edit) CLOSED is reflected-xss at risk? 2014-06-18 1
ISSUE-63 (edit) CLOSED Disposition of ch-csp client hint 2014-08-27 0
ISSUE-64 (edit) OPEN Csp3 how to deal with large policies needed by single-page webapps ( 2014-08-27 CSP Level 3 0
ISSUE-65 (edit) RAISED Does "no referrer" specify a state or is it a token? is a token with a space problematic? 2014-08-27 Referrer Policy 0
ISSUE-66 (edit) RAISED No-external-navigation as potential csp3 feature 2014-08-27 CSP Level 3 0
ISSUE-67 (edit) OPEN WebRTC via 'connect-src'? 2014-09-03 CSP Level 3 0
ISSUE-68 (edit)
401 prompting by subresources
OPEN How to manage 401 phishing prompts by subresources 2014-10-27 CSP Level 3 0
ISSUE-69 (edit)
Overt channel control in CSP
RAISED Consider directives to manage postMessage and external navigation of iframes 2014-10-28 CSP Level 3 0
ISSUE-70 (edit)
Using ni:/// as CSP source
RAISED Investigate using ni:/// as a CSP source expression 2014-11-04 CSP Level 3 0
ISSUE-71 (edit)
JSONP directives
RAISED Consider directives in CSP Level 3 to reduce attack surface of legacy JSONP interaces 2014-11-04 CSP Level 3 0
ISSUE-72 (edit)
Streaming Integrity
RAISED How to apply integrity verification to large / streaming downloads 2014-11-17 Subresource Integrity Level 2 0
ISSUE-73 (edit)
CSP path matching
RAISED Consider allowing relative paths (to 'self') in source productions 2014-12-30 CSP Level 3 0
ISSUE-74 (edit)
plugin-types 'none'
RAISED allow explicitly setting the 'none' keyword source for plugin-type directive 2014-12-30 CSP Level 3 0

Raise an issue .

Daniel Veditz <>, Mike West <>, Chairs, Wendy Seltzer <>, Samuel Weiler <>, Staff Contacts
Tracker: documentation, (configuration for this group), originally developed by Dean Jackson, is developed and maintained by the Systems Team <>.
$Id: index.html,v 1.1 2020/01/17 08:52:44 carcone Exp $