Skip to content

Issues: w3c/webappsec-csp

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

176 Open 248 Closed
176 Open 248 Closed
Author
Filter by author
Loading
Label
Filter by label
Loading
Use alt + click/return to exclude labels
or + click/return for logical OR
Projects
Filter by project
Loading
Milestones
Filter by milestone
Loading
Assignee
Filter by who’s assigned
Sort
Sort by
Newest Oldest Most commented Least commented Recently updated Least recently updated Best match
Most reactions
👍 👎 😄 🎉 😕 ❤️ 🚀 👀

Issues list

How to specify 2 endpoints for Reporting-Endpoints?
#701 opened Jan 15, 2025 by Wowhere
How to prevent an iframe with srcdoc and defined csp from inheriting the parent page's CSP policies wontfix This proposal or request will not be implemented
#700 opened Dec 7, 2024 by JuanRojasC
1
EnsureCSPDoesNotBlockStringCompilation: calling "Get Trusted Type compliant string" editorial Changes that do not affect how the standard is understood
#698 opened Dec 4, 2024 by fred-wang
EnsureCSPDoesNotBlockStringCompilation: Explain why we need to check TrustedScript's data (and add tests)
#697 opened Dec 4, 2024 by fred-wang
https://w3c.github.io/webappsec-csp/#report-violation invokes "Queue a task" without passing a task source
#696 opened Dec 2, 2024 by mbrodesser-Igalia
Allow RFC3986 scheme relative URIs in host-source
#694 opened Nov 27, 2024 by Mahoney
Consider recommending the usage of events instead of CSP reports for CSP WPTs editorial Changes that do not affect how the standard is understood
#690 opened Nov 19, 2024 by mbrodesser-Igalia
Assigning location.href to a javascript:... is a form of eval agenda+ To be discussed at a triage meeting
#688 opened Nov 4, 2024 by dinofx
13
Should "Should navigation request of type be blocked by Content Security Policy?" set the violation object's element?
#687 opened Oct 24, 2024 by mbrodesser-Igalia
Introduce 'connect-certificate-hash' for WebTransport needs concrete proposal Moving the issue forward requires someone to figure out a detailed plan
#683 opened Oct 8, 2024 by jan-ivar
3
CSP headers are incorrect with multiple rules
#682 opened Oct 8, 2024 by letanloc1998
3
port-part being null is not handled editorial Changes that do not affect how the standard is understood
#680 opened Sep 13, 2024 by evilpie
Feedback request on not capturing the caller in new Function and indirect eval
#679 opened Sep 4, 2024 by nicolo-ribaudo
Should font-src reporting kick in on font-face reference or font request?
#677 opened Aug 22, 2024 by robinwhittleton
6
loading local stylesheets without self source
#676 opened Aug 13, 2024 by nizos
2
Consider using SecurityPolicyViolationEvent.sourceFile a USVString
#674 opened Jul 31, 2024 by emilio
1
CSP spec not user-friendly
#673 opened Jul 23, 2024 by galund
CSP Report Does Not Reflect Redirected Blocked Domains wontfix This proposal or request will not be implemented
#672 opened Jul 15, 2024 by ConardLi
8
Add new CSP sandbox directive to allow SameSite=None cookies on top-level frames
#664 opened May 24, 2024 by DCtheTall
7
frame-src is not effective in restricting the possible origins of subframes
#662 opened May 21, 2024 by antosart
3
Possibility to block all javascript: URLs
#658 opened Apr 30, 2024 by Sjord
3
Upstream trusted type changes
#651 opened Mar 14, 2024 by lukewarlow
1
Document columnNumber format
#649 opened Mar 13, 2024 by stefnotch
1
Google Analytics URLs
#648 opened Feb 29, 2024 by cristiandelgadod
1
"Is element nonceable" not applied to non-<script> elements in Chrome?
#643 opened Feb 12, 2024 by evilpie
ProTip! Find all open issues with in progress development work with linked:pr.