There are a number of somewhat foundational documents that I think are missing at the moment. This repo is a mechanism for me to outline the things that I think would be useful, and, hopefully, help folks to get started actually writing them (because I have a loooong list of unfinished projects):
- What is the same-origin policy? Why is it important? What is its impact (on sites, on specs, etc)?
- What threat models do we care about on the web? How can they be mitigated?
- WebAppSec explainers:
- "What is X? Why should I care? How can I use it?"
- CSP
- EPR
- SRI
- REFERRER
- "Why am I getting this error? How do I fix it?"
- MIX
- POWER
- "What is X? Why should I care? How can I use it?"