Mike West
Mike West
We should pull the CSS into this repo, and just embed it into the templates (with a flag, perhaps?)
https://freedom-to-tinker.com/2014/12/19/how-cookies-can-be-used-for-global-surveillance/ https://senglehardt.com/papers/www15_cookie_surveil.pdf
As a mitigation against dangling markup attacks (which inject open tags like `
Chrome has some funky behavior around HTMLMediaElement + redirected range requests. https://codereview.chromium.org/1220963004 denied responses to range requests if their origin is distinct from the origin response for the initial request....
In https://crbug.com/680970, we've been iterating on some metrics in Chrome in the hopes of implementing some simple heuristics that would reduce the risk of data exfiltration due to dangling markup...
By default, IDL constructs are exposed to both secure and non-secure contexts, subject only to the `Exposed` attribute. Developers can opt-into stricter checks by adding `[SecureContext]` to their constructs, which...
Given the state of the spec, the test suite, and the shipping implementation in Chromium-based browsers, it seems reasonable to publish the document as an FPWD. This issue will serve...
Many modern frameworks use [`data-`](https://html.spec.whatwg.org/multipage/dom.html#embedding-custom-non-visible-data-with-the-data-*-attributes) attributes for a number of purposes, up to and including script execution (see [Script Gadgets](https://github.com/google/security-research-pocs/tree/master/script-gadgets) for some examples). While the browser understands the purpose of...
https://immersive-web.github.io/dom-overlays/#security reasonably calls out `frame-src` as applying to overlay content. It would be reasonable to note that the content itself might reasonably opt-out of such embedding via `x-frame-options` and/or `frame-ancestor`....
To improve the quality of CSP reports, it would be helpful for [`HostEnsureCanCompileStrings()`](https://tc39.github.io/ecma262/#sec-hostensurecancompilestrings) to include the string to be compiled as an argument. `HostEnsureCanCompileStrings(callerRealm, calleeRealm, source)` seems ideal. :) The...