ISSUE-1 |
CLOSED |
Harmonize header spec with OWS / new definitions in HTTP work @ IETF |
2011-10-31 |
CORS |
0 |
ISSUE-2 |
CLOSED |
Check for simple/standard request needs to check what the value of content-type header is to determine CORS request type |
2011-10-31 |
CORS |
0 |
ISSUE-3 |
CLOSED |
How to handle directives that are not understood in v 1.0 |
2011-10-31 |
CSP Level 1 |
0 |
ISSUE-4 |
CLOSED |
Solicit for input on policy intersection / conflict resolution |
2011-10-31 |
CSP Level 1 |
0 |
ISSUE-5 |
PENDING REVIEW |
Is covering identical UI with different effects in-scope? e.g. "like" button that doesn't indicate what you're liking |
2011-11-01 |
UI Security |
0 |
ISSUE-6 sandbox |
CLOSED |
Should the sandbox directive be part of CSP 1.0? |
2011-11-03 |
CSP Level 1 |
0 |
ISSUE-7 policy-uri |
CLOSED |
Should the policy-uri directive be in CSP 1.0? |
2011-11-03 |
CSP Level 1 |
0 |
ISSUE-8 |
CLOSED |
Identify proper behavior for html added via plugins / object tag |
2011-11-22 |
CSP Level 1 |
0 |
ISSUE-9 |
CLOSED |
Should the user agent fire the error event when an img-src load fails? |
2012-01-17 |
CSP Level 1 |
0 |
ISSUE-10 |
CLOSED |
Processing model for object element and frame-src directive |
2012-01-17 |
CSP Level 1 |
0 |
ISSUE-11 Violation report privacy |
CLOSED |
Violation report privacy issues |
2012-01-17 |
CSP Level 1 |
0 |
ISSUE-12 |
CLOSED |
Should 'self' be required to be replaced by explict host in reports? |
2012-01-17 |
CSP Level 1 |
0 |
ISSUE-13 URI Fragments in 1.1 |
CLOSED |
Optionally include URI fragments in violation reports for v1.1 |
2012-02-14 |
CSP Level 1 |
0 |
ISSUE-14 META tag for CSP |
CLOSED |
Investigate whether to keep the META tag for CSP |
2012-03-13 |
CSP Level 1 |
0 |
ISSUE-15 SRCDOC, BLOB, ETC |
CLOSED |
How to handle srcdoc, blob:, di: and ways of directly creating content |
2012-07-03 |
CSP Level 2 |
0 |
ISSUE-16 CSP informs client, cannot restrict it |
CLOSED |
Editorial: CSP cannot dictate client behavior, only inform it |
2012-09-11 |
CSP Level 1 |
0 |
ISSUE-17 Extension compat |
CLOSED |
CSP should take into account extensions which modify content |
2012-09-11 |
CSP Level 1 |
0 |
ISSUE-18 CSP as risk assessment score |
CLOSED |
Use CSP to report app risk and compatibility with user specified restrictions |
2012-09-11 |
CSP Level 1 |
0 |
ISSUE-19 Interaction of CSP and IRIs |
CLOSED |
How are non-ASCII characters handled in CSP |
2012-09-11 |
CSP Level 1 |
0 |
ISSUE-20 |
CLOSED |
If browsers apply UI Security heuristic without an explicit opt-in policy, should we always block and not have the unsafe UIEvent property |
2012-11-01 |
UI Security |
0 |
ISSUE-21 |
POSTPONED |
Do assistive technologies send real events or synthetic events? |
2012-11-01 |
UI Security |
0 |
ISSUE-22 |
PENDING REVIEW |
Are there cases of synthetic UIEvents where it would be useful to set the unsafe attribute even if the policy is block (so event is not delivered) |
2012-11-01 |
UI Security |
0 |
ISSUE-23 |
CLOSED |
Are there cases of synthetic UIEvents where it would be useful to set the unsafe attribute even if the policy is block so event is not delivered |
2012-11-01 |
|
0 |
ISSUE-24 |
CLOSED |
(); |
2012-11-01 |
|
0 |
ISSUE-25 |
CLOSED |
Do frame-options directives (or other UISafety directives) make sense in a meta tag context? |
2012-11-01 |
UI Security |
0 |
ISSUE-26 |
CLOSED |
Does the sandbox directive make sense in a meta tag context? |
2012-11-01 |
CSP Level 2 |
0 |
ISSUE-27 |
CLOSED |
Implementation concern on how to enforce display-time : should we provide more advice on how to do this efficiently? |
2012-11-01 |
UI Security |
0 |
ISSUE-28 |
PENDING REVIEW |
What specific attacks are prevented by OS screenshots, should this be recommended against generally? |
2012-11-01 |
UI Security |
0 |
ISSUE-29 |
PENDING REVIEW |
What are sane defaults for clipping with clipping or selectors? |
2012-11-01 |
UI Security |
0 |
ISSUE-30 |
CLOSED |
How to address dynamic application of CSP post page load / partial page load via META or script interface |
2012-11-02 |
CSP Level 2 |
0 |
ISSUE-31 |
CLOSED |
What specification's definition of URL/URI are we using for path parsing in CSP 1.1? |
2012-11-02 |
CSP Level 2 |
0 |
ISSUE-32 |
CLOSED |
Do we specify that path-specificity applies only to hierarchical URI schemes? |
2012-11-02 |
CSP Level 2 |
0 |
ISSUE-33 |
CLOSED |
Need to address blob, data, filesystem URL types with greater specificity in CSP 1.1 spec |
2012-11-02 |
CSP Level 2 |
0 |
ISSUE-34 |
OPEN |
Discuss use cases / risks of script access to CSP information, solicit specific public comment on this feature with FPWD |
2012-11-02 |
CSP Level 3 |
0 |
ISSUE-35 |
CLOSED |
Should we add an "httpOnly" like directive to CSP to indicate that the state of this policy is not available to the script APIs? |
2012-11-02 |
CSP Level 2 |
0 |
ISSUE-36 |
CLOSED |
hash as a source expression for csp 1.1 |
2012-11-02 |
CSP Level 2 |
0 |
ISSUE-37 |
CLOSED |
How to apply plugin-types in CSP 1.1 to iframes |
2012-11-02 |
CSP Level 2 |
0 |
ISSUE-38 |
CLOSED |
Discuss no-mixed-content further as a 1.1 experimental directive |
2012-11-02 |
CSP Level 2 |
0 |
ISSUE-39 |
CLOSED |
Discuss CSP relevant use cases for possibly including Meta Referrer as a CSP directive |
2012-11-02 |
CSP Level 2 |
0 |
ISSUE-40 X-XSS-Protection |
CLOSED |
Look at incorporating X-XSS-Protection functionality into CSP 1.1 |
2012-11-08 |
CSP Level 2 |
0 |
ISSUE-41 CSP and malicious extensions |
CLOSED |
CSP does not protect against malicious extensions |
2012-12-19 |
CSP Level 1 |
0 |
ISSUE-42 CSS Nonce |
CLOSED |
Script-nonce allows inline script, similar treatment for inline css? |
2013-02-01 |
CSP Level 2 |
0 |
ISSUE-43 Custom Elements in CSP 1.1 |
CLOSED |
How are custom elements handled in CSP 1.1? |
2013-02-01 |
CSP Level 2 |
0 |
ISSUE-44 |
OPEN |
Same-origin policy identity query via script-hash. issue is you do a third party inline script with a known script-hash. if it succeeds, you know that the target was as expected, even though you can't read it |
2013-02-26 |
Subresource Integrity Level 1 |
0 |
ISSUE-45 'top-only' |
CLOSED |
Is 'top-only' worth preserving? |
2013-03-05 |
UI Security |
0 |
ISSUE-46 Does nonce make CSP header security-sensitive |
CLOSED |
Does inclusion of things like nonce make CSP a sensitive header? |
2013-04-25 |
CSP Level 2 |
0 |
ISSUE-47 |
CLOSED |
Revisit combinations of header and meta tags |
2013-04-25 |
CSP Level 2 |
0 |
ISSUE-48 base uri |
CLOSED |
injection of a <base> tag to change effective location of relative resources |
2013-04-25 |
CSP Level 2 |
0 |
ISSUE-49 |
CLOSED |
add http response code to report? |
2013-04-25 |
CSP Level 2 |
0 |
ISSUE-50 |
CLOSED |
plugin-type directive and media source list for IE CLSID guids |
2013-04-25 |
CSP Level 2 |
0 |
ISSUE-51 |
CLOSED |
How to handle externally defined <element> with <link rel=import> |
2013-04-25 |
|
0 |
ISSUE-52 unsafe DOM API |
CLOSED |
unsafe attribute requires every handler to check |
2013-04-25 |
UI Security |
0 |
ISSUE-53 UI Security model for composited drawing models |
CLOSED |
UI Security model for composited drawing models |
2013-04-26 |
UI Security |
0 |
ISSUE-54 uri vs url |
CLOSED |
policy-uri vs. policy-url, (also report, etc.) |
2013-07-02 |
CSP Level 2 |
0 |
ISSUE-55 input-protection and seamless iframes |
CLOSED |
How to handle seamless flag for input-protection policies? |
2013-10-31 |
UI Security |
0 |
ISSUE-56 child src navigation |
CLOSED |
Should we restrict subsequent navigation within child-src? |
2014-01-14 |
CSP Level 2 |
0 |
ISSUE-57 |
OPEN |
Do we want to control popups, if so, how? |
2014-02-10 |
CSP Level 3 |
0 |
ISSUE-58 Late binding of CSP |
CLOSED |
Late binding of CSP policies |
2014-04-08 |
CSP Level 2 |
0 |
ISSUE-59 SVG rules for CSP |
CLOSED |
Figure out how to use CSP appropriately with SVG modes |
2014-04-23 |
CSP Level 2 |
0 |
ISSUE-60 CSP and META |
CLOSED |
Injecting META tags can be an interesting bypass technique, possibly |
2014-04-23 |
CSP Level 3 |
0 |
ISSUE-61 |
CLOSED |
Should we mark referrer and reflected-xss as at risk in csp 1.1 lcwd? |
2014-06-18 |
|
0 |
ISSUE-62 |
CLOSED |
is reflected-xss at risk? |
2014-06-18 |
|
1 |
ISSUE-63 |
CLOSED |
Disposition of ch-csp client hint |
2014-08-27 |
|
0 |
ISSUE-64 |
OPEN |
Csp3 how to deal with large policies needed by single-page webapps (http://lists.w3.org/archives/public/public-webappsec/2014aug/0021.html) |
2014-08-27 |
CSP Level 3 |
0 |
ISSUE-65 |
RAISED |
Does "no referrer" specify a state or is it a token? is a token with a space problematic? |
2014-08-27 |
Referrer Policy |
0 |
ISSUE-66 |
RAISED |
No-external-navigation as potential csp3 feature http://lists.w3.org/archives/public/public-webappsec/2014aug/0053.html |
2014-08-27 |
CSP Level 3 |
0 |
ISSUE-67 |
OPEN |
WebRTC via 'connect-src'? |
2014-09-03 |
CSP Level 3 |
0 |
ISSUE-68 401 prompting by subresources |
OPEN |
How to manage 401 phishing prompts by subresources |
2014-10-27 |
CSP Level 3 |
0 |
ISSUE-69 Overt channel control in CSP |
RAISED |
Consider directives to manage postMessage and external navigation of iframes |
2014-10-28 |
CSP Level 3 |
0 |
ISSUE-70 Using ni:/// as CSP source |
RAISED |
Investigate using ni:/// as a CSP source expression |
2014-11-04 |
CSP Level 3 |
0 |
ISSUE-71 JSONP directives |
RAISED |
Consider directives in CSP Level 3 to reduce attack surface of legacy JSONP interaces |
2014-11-04 |
CSP Level 3 |
0 |
ISSUE-72 Streaming Integrity |
RAISED |
How to apply integrity verification to large / streaming downloads |
2014-11-17 |
Subresource Integrity Level 2 |
0 |
ISSUE-73 CSP path matching |
RAISED |
Consider allowing relative paths (to 'self') in source productions |
2014-12-30 |
CSP Level 3 |
0 |
ISSUE-74 plugin-types 'none' |
RAISED |
allow explicitly setting the 'none' keyword source for plugin-type directive |
2014-12-30 |
CSP Level 3 |
0 |