Re: [webappsec] subsume X-XSS-Protection into CSP 1.1?

On Thu, Nov 8, 2012 at 12:01 PM, Hill, Brad <bhill@paypal-inc.com> wrote:
> As I’m here at the IETF, reviewing the websec’s charter statement and
> framework requirements, I note that one of the goals that drove the
> formation of both our WGs was to reduce fragmentation and duplication of
> security features and make it easier for resource owners to author policy
> through a consolidated, extensible mechanism.
>
> In that spirit, I wonder if another logical directive for CSP 1.1 might be
> to incorporate the features currently provide by “X-XSS-Protection”.  It
> eliminates the need for another X- header, and seems like a logical fit.
>
> Would there be any interest in this from implementers who currently manage
> XSS filters in their browser?

Yes.

Adam

Received on Thursday, 8 November 2012 20:08:46 UTC