The next iteration of CSP is far enough along to discuss. I'd appreciate it if you'd you give feedback on https://w3c.github.io/webappsec-csp/ :)
@mikewest could source-file in deprecated serialization leak data in edgecases? the "strip uri for reporting" steps from CSP 2.0 are gone?
-
-
@mikewest imagine a site where you can upload text/plain (includable as script) and /upload/a.txt redirs to /upload/a.txt?sessionid or w/eThanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
@tehjh: It might. The problem with that whole section is that it's terribly defined. ECMA doesn't define how we'd grab a file name at all.Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
@tehjh: And neither does HTML. So, I'd like to say something like the note in https://w3c.github.io/webappsec-csp/#create-violation-for-request …, but I've nothing to hook into.Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
@tehjh: Still, I'll add a note about the UA requirements for that field in particular. Thanks! ( https://github.com/w3c/webappsec-csp/issues/47 … )Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.