W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2012

[webappsec] subsume X-XSS-Protection into CSP 1.1?

From: Hill, Brad <bhill@paypal-inc.com>
Date: Thu, 8 Nov 2012 20:01:21 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E2E49A1@DEN-EXDDA-S12.corp.ebay.com>
As I'm here at the IETF, reviewing the websec's charter statement and framework requirements, I note that one of the goals that drove the formation of both our WGs was to reduce fragmentation and duplication of security features and make it easier for resource owners to author policy through a consolidated, extensible mechanism.

In that spirit, I wonder if another logical directive for CSP 1.1 might be to incorporate the features currently provide by "X-XSS-Protection".  It eliminates the need for another X- header, and seems like a logical fit.

Would there be any interest in this from implementers who currently manage XSS filters in their browser?

-Brad
Received on Thursday, 8 November 2012 20:01:50 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 8 November 2012 20:01:50 GMT