- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Wed, 05 Nov 2014 09:48:31 -0800
- To: Mike West <mkwst@google.com>
- CC: Brian Smith <brian@briansmith.org>, Brad Hill <hillbrad@gmail.com>, Chris Palmer <palmer@google.com>, Glenn Adams <glenn@skynav.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 11/5/2014 2:06 AM, Mike West wrote: > On Wed, Nov 5, 2014 at 8:38 AM, Daniel Veditz <dveditz@mozilla.com > > This has been removed from CSP level 2. > > A small point: reflected-xss has not been removed from CSP2. It's marked > as At Risk, pending IE's feedback about whether or not they intend to > implement it. Sorry, you're right. I guess I'm on the less optimistic side of "at risk". Regardless it should not be a controversial directive: it is simply a synonym for the existing non-standard X-XSS-Protection header. http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx It seems generally useful to coalesce miscellaneous non-standard security headers into a standard Content-Security-Policy that can be documented in one place. If any given header has a strong constituency that believes it should be standardized separately that's fine, too. In this case reps from the two browser engines which support the non-standard header seem to prefer CSP inclusion to a separate standard. It does complicate the CSP rules for handling multiple policies, but we already have the problem of defining what happens with multiple X-XSS-Protection headers and should be able to simply re-use that behavior. -Dan Veditz
Received on Wednesday, 5 November 2014 17:49:00 UTC