GitHub - mikewest/baseline-header: What if developers could opt-into better default behaviors en masse, forcing them to pick and choose the legacy risks they want to enable.You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window. Reload to refresh your session. Dismiss alert
GitHub - mikewest/coop-by-default: Wouldn't it be nice if `Cross-Origin-Opener-Policy` was applied by default?
When a web application opens another origin in a window, it obtains a JavaScript reference to that context that it can reach through to poke at various things. The opened context likewise receives a reference to its opener which provides similar access. This communication channel between the two windows enables attacks both at the web API level (postMessage vulnerabilities, navigation trickery, an
GitHub - mikewest/deprecating-document-domain: `document.domain` intentionally weakens the only security boundary we have. Perhaps we can dump it?
The primary security boundary of the World Wide Web is the origin. The same-origin policy guarantees that one web page cannot access (modify, or extract data from) another page, unless those pages are hosted on the same origin. Several pages within an origin can fully cooperate as a single website, but pages from different origins are isolated and cannot interfere with each other. The same origin
GitHub - mikewest/tc39-proposal-literals: Literals could be different than non-literals.
HTML's DOM offers a number of mechanisms to turn arbitrary strings into markup (.innerHTML = ...) or code (scriptEl.innerText = ..., el.onclick = ..., etc). Each of these mechanisms can serve as an XSS sink, giving an attacker the ability to feed code into a context that wasn't expecting it, leading to a class of DOM-based XSS attacks that we'd very much like to avoid. One way of addressing this i
1
リリース、障害情報などのサービスのお知らせ
最新の人気エントリーの配信
j次のブックマーク
k前のブックマーク
lあとで読む
eコメント一覧を開く
oページを開く
GitHub - mikewest/embedding-requires-opt-in: Embedding a document (via `<iframe>`, etc) should require explicit opt-in from the embedee.
GitHub - mikewest/scheming-cookies: Cookies should take scheme into account, just like every other storage mechanism on the web.
GitHub - mikewest/privacy-budget
GitHub - mikewest/strict-navigation-security: What if HSTS only applied to top-level navigations?
GitHub - mikewest/cookies-over-http-bad: Archived proposal from 2018. Perhaps the approach in mikewest/scheming-cookies will be more successful!
webappsec-mixed-content/proposed-level-2-roadmap.md at master · mikewest/webappsec-mixed-content