Re: CSP: Problems with referrer and reflected-xss

On 11/5/2014 2:06 AM, Mike West wrote:
> On Wed, Nov 5, 2014 at 8:38 AM, Daniel Veditz <
>     This has been removed from CSP level 2.
> A small point: reflected-xss has not been removed from CSP2. It's marked
> as At Risk, pending IE's feedback about whether or not they intend to
> implement it.

Sorry, you're right. I guess I'm on the less optimistic side of "at risk".

Regardless it should not be a controversial directive: it is simply a
synonym for the existing non-standard X-XSS-Protection header.

It seems generally useful to coalesce miscellaneous non-standard
security headers into a standard Content-Security-Policy that can be
documented in one place. If any given header has a strong constituency
that believes it should be standardized separately that's fine, too. In
this case reps from the two browser engines which support the
non-standard header seem to prefer CSP inclusion to a separate standard.

It does complicate the CSP rules for handling multiple policies, but we
already have the problem of defining what happens with multiple
X-XSS-Protection headers and should be able to simply re-use that behavior.

-Dan Veditz

Received on Wednesday, 5 November 2014 17:49:00 UTC