Are you happy with your logging solution? Would you help us out by taking a 30-second survey? Click here


Web Application Security Working Group repo

Subscribe to updates I use webappsec

Statistics on webappsec

Number of watchers on Github 287
Number of open issues 88
Average time to close an issue 17 days
Main language HTML
Average time to merge a PR 5 days
Open pull requests 4+
Closed pull requests 8+
Last commit almost 2 years ago
Repo Created almost 6 years ago
Repo Last Updated over 1 year ago
Size 8.61 MB
Organization / Authorw3c
Page Updated
Do you use webappsec? Leave a review!
View open issues (88)
View webappsec activity
View on github
Fresh, new opensource launches 🚀🚀🚀
Trendy new open source projects in your inbox! View examples

Subscribe to our mailing list

Evaluating webappsec for your project? Score Explanation
Commits Score (?)
Issues & PR Score (?)

Web Application Security Working Group

Table of Specifications

< tr>
Complete ED TR
Content Security Policy Level 1 NOTE: /TR/CSP1
Subresource Integrity webappsec-subresource-integrity REC: /TR/SRI/
Content Security Policy Level 2 webappsec-csp REC: /TR/CSP2
Stable ED TR
Mixed Content webappsec-mixed-content CR: /TR/mixed-content/
Upgrade Insecure Requests webappsec-upgrade-insecure-requests WD: /TR/upgrade-insecure-requests/
Secure Contexts webappsec-secure-contexts CR: /TR/powerful-features/
Referrer Policy webappsec-referrer-policy CR: /TR/referrer-policy/
Stabilizing ED TR
Credential Management Level 1 webappsec-credential-management WD: /TR/credential-management/
Permissions API permissions FPWD: /TR/permissions/
Content Security Policy Level 3 webappsec-csp WD: /TR/CSP
Works in Progress ED TR
Clear Site Data webappsec-clear-site-data FPWD: /TR/clear-site-data/
Confinement with Origin Web Labels webappsec-cowl FPWD: /TR/cowl/
CSP Pinning webappsec-csp FPWD: /TR/csp-pinning/
Entry Point Regulation webappsec-epr FPWD: /TR/epr/
webappsec open issues Ask a question     (View All Issues)
  • about 3 years Clarify CSP header recommendations for non-HTML pages
  • about 3 years CSP in single-page applications
  • about 3 years Way to disown window.opener and become a secure context
  • over 3 years CSP3: The effect of multiple policies
  • over 3 years CSP2: Default value of default-src is incorrect
  • over 3 years CSP: Consider dot-prefix domains for wildcard matching
  • over 3 years Usage of referrerpolicy="no-referrer" for DoS attacks
  • over 3 years CSP: Consider a flag to turn off console logging for Report-Only
  • almost 4 years Definition of "potentially secure origin" says nonsensical things about "about", and makes about: URLs not potentially secure URLs
  • about 4 years [SRI] Shared Cache through `sharedcache` attribute
  • about 4 years SRI: Integrity enforcement on downloads
  • about 4 years SRI: media fragments
  • about 4 years SRI: needs integration with whatwg/html
  • about 4 years Add test cases for jar: scheme
  • about 4 years Referrer policy and Ping-From/Ping-To headers
  • about 4 years [SRI] Integrity option in importScripts
  • about 4 years [SRI] Shorter hashes
  • about 4 years [SRI] Support signatures/asymm key
  • about 4 years EPR: Provide a way to apply a policy to a path (instead of a whole domain)
  • about 4 years Allow public-key signatures in CSP allowed script sources
  • about 4 years CSP: Provide a way to restrict domain of document.cookie
  • over 4 years MIX: Link "deprecated authentication" to HTTPS State.
  • over 4 years Clarify handling of style attribute vs. individual elements contributing to computed style
  • over 4 years Mixed Content: fetch() in service workers broken
  • over 4 years REFERRER: Examples
  • over 4 years Mixed Content: express UI requirements imperatively
  • over 4 years Referrer attribute and Fetch integration
  • over 4 years REFERRER: Allowed values for the referrer attribute
  • over 4 years CSP: specify whether unsafe-inline or unsafe-eval was violated in violation reports
  • over 4 years CSP: Refused to execute inline script even with a valid sha1 or sha256
webappsec open pull requests (View All Pulls)
  • Improving preventDefault implementation
  • Explore automatic publication with Travis & Echidna
  • Mixed content upgrades
  • CSP3: message-src message-sink
webappsec list of languages used
Other projects in HTML