[webappsec] subsume X-XSS-Protection into CSP 1.1? from Hill, Brad on 2012-11-08 (public-webappsec@w3.org from November 2012)

From: Hill, Brad <bhill@paypal-inc.com>
Date: Thu, 8 Nov 2012 20:01:21 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E2E49A1@DEN-EXDDA-S12.corp.ebay.com>

As I'm here at the IETF, reviewing the websec's charter statement and framework requirements, I note that one of the goals that drove the formation of both our WGs was to reduce fragmentation and duplication of security features and make it easier for resource owners to author policy through a consolidated, extensible mechanism.

In that spirit, I wonder if another logical directive for CSP 1.1 might be to incorporate the features currently provide by "X-XSS-Protection".  It eliminates the need for another X- header, and seems like a logical fit.

Would there be any interest in this from implementers who currently manage XSS filters in their browser?

-Brad

Received on Thursday, 8 November 2012 20:01:50 UTC