W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2015

Removal of reflected-xss from CSP3 (was Re: Move `referrer` from CSP to some other header.)

From: Brian Smith <brian@briansmith.org>
Date: Fri, 9 Oct 2015 10:10:15 -1000
Message-ID: <CAFewVt4s_ppJuWjoGWD3uyKk5R6oXAyO-rEuReaKEQsPXZ5zHg@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Jochen Eisinger <eisinger@google.com>, Brad Hill <hillbrad@gmail.com>, Dan Veditz <dveditz@mozilla.com>
On Fri, Oct 9, 2015 at 3:45 AM, Mike West <mkwst@google.com> wrote:

> So, while rewriting most of CSP, I think I've decided that Brian was
> right, way back in
> https://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0162.html.
> CSP is simpler to conceptualize as a purely restrictive mechanism, and
> I'm on board with the idea that we should keep it that way.


I noticed that the current editor's draft of CSP 3 [1] only mentions the
proposed reflected-xss directive in one place, and doesn't attempt to
define it. Ti be consistent with the idea above, it seems like
reflected-xss should also be removed from CSP3, which would currently
require just removing "reflected-xss, " from the editor's draft. Is that
what you're intending.

[1] https://w3c.github.io/webappsec-csp/

Cheers,
Brian
-- 
https://briansmith.org/
Received on Friday, 9 October 2015 20:10:43 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC