[webappsec] subsume X-XSS-Protection into CSP 1.1?

As I'm here at the IETF, reviewing the websec's charter statement and framework requirements, I note that one of the goals that drove the formation of both our WGs was to reduce fragmentation and duplication of security features and make it easier for resource owners to author policy through a consolidated, extensible mechanism.

In that spirit, I wonder if another logical directive for CSP 1.1 might be to incorporate the features currently provide by "X-XSS-Protection".  It eliminates the need for another X- header, and seems like a logical fit.

Would there be any interest in this from implementers who currently manage XSS filters in their browser?


Received on Thursday, 8 November 2012 20:01:50 UTC