Skip to content

Editorial: fix bikeshed warnings #276

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
marcoscaceres merged 1 commit into from
Oct 28, 2025
Merged

Editorial: fix bikeshed warnings #276

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 7 additions & 7 deletions index.bs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1014,7 +1014,7 @@ spec:css-syntax-3;

1. If |permission| is null, continue.

1. If |document| is **not** [=allowed to use=] |permission|, return
1. If |document| is **not** [=/allowed to use=] |permission|, return
[=a promise rejected with=] a "{{NotAllowedError}}" {{DOMException}}.

1. Let |p| be [=a new promise=].
Expand Down Expand Up @@ -1212,7 +1212,7 @@ spec:css-syntax-3;

1. If |permission| is null, continue.

1. If |document| is **not** [=allowed to use=] |permission|, return
1. If |document| is **not** [=/allowed to use=] |permission|, return
[=a promise rejected with=] a "{{NotAllowedError}}" {{DOMException}}.

1. If <code>|options|.{{CredentialRequestOptions/signal}}</code> is [=AbortSignal/aborted=],
Expand Down Expand Up @@ -2238,14 +2238,14 @@ spec:css-syntax-3;
which restricts the endpoints to which data can be sent. In particular, developers should ensure
that the following directives are set, explicitly or implicitly, in their pages' policies:

* [=`script-src`=] and [=`object-src`=] both restrict script execution on a page, making
* [=script-src=] and [=object-src=] both restrict script execution on a page, making
it less likely that a cross-site scripting attack will succeed in the first place. If sites
are populating <{form}> elements, also [=`form-action`=] directives should be set.
are populating <{form}> elements, also [=form-action=] directives should be set.

* [=`connect-src`=] restricts the origins to which <a lt=fetch(input)><code>fetch()</code></a>
may submit data (which mitigates the risk that credentials could be exfiltrated to `evil.com`.
* [=connect-src=] restricts the origins to which <a lt=fetch(input)><code>fetch()</code></a>
may submit data (which mitigates the risk that credentials could be exfiltrated to `evil.com`).

* [=`child-src`=] restricts the nested browsing contexts which may be embedded in a page,
* [=child-src=] restricts the nested browsing contexts which may be embedded in a page,
making it more difficult to inject a malicious `postMessage()` target. [[HTML]]

Developers should, of course, also properly escape input and output, and consider using other
Expand Down
Loading