There are a number of somewhat foundational documents that I think are missing at the moment. This repo is a mechanism for me to outline the things that I think would be useful, and, hopefully, help folks to get started actually writing them (because I have a loooong list of unfinished projects):

• What is the same-origin policy? Why is it important? What is its impact (on sites, on specs, etc)?
• What threat models do we care about on the web? How can they be mitigated?
• WebAppSec explainers:
  • "What is X? Why should I care? How can I use it?"
    • CSP
    • EPR
    • SRI
    • REFERRER
  • "Why am I getting this error? How do I fix it?"
    • MIX
    • POWER