Antonio Sartori
Antonio Sartori
I like the idea of banning `,`, meaning we would always issue a preflight in that case.
I believe the answer for CSP rules depends on the answer to the main question (whether the `srcdoc` content is reloaded when navigating back or not). If we store the...
>> I believe the currently specced behaviour is to store the policies in history for srcdoc. > The spec doesn't seem to cover restoring srcdoc pages at all, unless I'm...
Another good question! I am not sure. For history navigations to srcdoc it seemed to be slightly more clear to me, in order to avoid the asymmetry of getting one...
>> is it possible for two session histories to have the same document but have different policy containers? > I am 95% sure this is not possible. (Or if it...
Makes all sense to me. For CSP: For 3. I already have a draft PR to fix the headings problems in https://github.com/w3c/webappsec-csp/pull/621. For 1. I think it would make sense...
Sounds good. I'll try to move forward with the CSP change.
I made progress on CSP https://github.com/w3c/webappsec-csp/pull/621. One thing: I realized that the various "is request blocked" algorithms actually have side effects (reporting violations), hence, opposite to what I was proposing...
Ok. I think it would be good to spell out in the explainer how iframes would behave w.r.t. this attribute.
Detailing what kind of information would be reported seems also important here. Depending on that, it might be difficult for embedded resources to assess the risk of opting in in...