W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2012

Re: [webappsec] subsume X-XSS-Protection into CSP 1.1?

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 8 Nov 2012 12:07:46 -0800
Message-ID: <CAJE5ia-80d7GWS+rnBQAsnHi=1xzPfMc_r6pgK8qRYC4obpaLg@mail.gmail.com>
To: "Hill, Brad" <bhill@paypal-inc.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Nov 8, 2012 at 12:01 PM, Hill, Brad <bhill@paypal-inc.com> wrote:
> As I’m here at the IETF, reviewing the websec’s charter statement and
> framework requirements, I note that one of the goals that drove the
> formation of both our WGs was to reduce fragmentation and duplication of
> security features and make it easier for resource owners to author policy
> through a consolidated, extensible mechanism.
>
> In that spirit, I wonder if another logical directive for CSP 1.1 might be
> to incorporate the features currently provide by “X-XSS-Protection”.  It
> eliminates the need for another X- header, and seems like a logical fit.
>
> Would there be any interest in this from implementers who currently manage
> XSS filters in their browser?

Yes.

Adam
Received on Thursday, 8 November 2012 20:08:46 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 8 November 2012 20:08:47 GMT