best-practices

FAQ

• Yes, my issue is not about variability or throttling.
• Yes, my issue is not about a specific accessibility audit (file with axe-core instead).

URL

https://www.google.com

Wha

What would you like to happen?
The sections 4.7.11.1 Testing for Local File Inclusion & 4.7.11.2 Testing for Remote File Inclusion address two attack vectors that are very similar one to the other. Given this situation and the few documentation on the Remote injection one, my proposal would be to merge both in a single section called Testing for File Injection.

This hint has been around since 2018 and is documented on webhint.io (https://webhint.io/docs/user-guide/hints/hint-doctype/). However it's not enabled by default in any of webhint's configurations (likely an oversight).

We should turn this on by default and perform any necessary cleanup in the process (e.g. switching to get locations from webhint's location-aware DOM that was added after the

Web Packaging "comes in several layers":

• Bundled HTTP Exchanges (Web Bundles):
  https://datatracker.ietf.org/doc/html/draft-ietf-wpack-bundled-responses

  .wbn file extension = application/webbundle

• Signed HTTP Exchanges:
  https://tools.ietf.org/html/draft-yasskin-http-origin-signed-responses

  .sxg file extension = `application/signe

Example:

https://github.com/whitesmith/rubycritic/blob/d673a2c75e4fb1d7f6776b77c63401a4aedf0112/lib/rubycritic/cli/options/file.rb#L41

The new default should be main.