Devdatta Akhawe
Devdatta Akhawe
If I have a website that I want to allow framing by trusted third-parties (via CSP frame-ancestors), I can't use SameSite cookies to prevent CSRF attacks. This is unfortunate as...
If CSP whitelists a hash, an inline script with that hash or a remote script with that hash in its integrity attributes are both signed. If a CSP whitelists a...
It can be annoying and wasteful to repeatedly mention the same public key in all the script tags. Different options to fix this could be: [] Repurpose something like `require-sri-for...
While key rotation and revocation in general is a topic beyond the scope of this spec, it seems pretty clear to me that we do need the basic ability to...