W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: CSP: Problems with referrer and reflected-xss

From: Mike West <mkwst@google.com>
Date: Wed, 5 Nov 2014 11:06:17 +0100
Message-ID: <CAKXHy=eaS0CQZwgB0TrDqOJj5y3g6eh2sQYV8spvpEzHhUpbnw@mail.gmail.com>
To: Daniel Veditz <dveditz@mozilla.com>
Cc: Brian Smith <brian@briansmith.org>, Brad Hill <hillbrad@gmail.com>, Chris Palmer <palmer@google.com>, Glenn Adams <glenn@skynav.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Nov 5, 2014 at 8:38 AM, Daniel Veditz <dveditz@mozilla.com> wrote:

> > As for reflected-xss, I honestly don't care about it too much. But, I
> > feel obligated to point out that it is a specification for a W3C
> > standard to restrict unspecified, proprietary mechanisms.
> This has been removed from CSP level 2.

A small point: reflected-xss has not been removed from CSP2. It's marked as
At Risk, pending IE's feedback about whether or not they intend to
implement it.

Received on Wednesday, 5 November 2014 10:07:05 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:42 UTC