[CSP3] reflected XSS directive from Harel Klopfer on 2022-08-29 (public-webappsec@w3.org from August 2022)

From: Harel Klopfer <Harel.Klopfer@hot.net.il>
Date: Mon, 29 Aug 2022 11:44:59 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <37b7291573d54abab461c25a4eac2fce@hot.net.il>

Hello
I saw at the OWASP the reflected XSS directive for the CSP header (site: https://owasp.org/www-project-secure-headers/#content-security-policy),
but I couldn't find this directive at your site.
Is this directive still in use?
In our company, we want to better implement the CSP header,
but we don't want to cancel the X-XSS-Protection<https://owasp.org/www-project-secure-headers/#x-xss-protection> header from older browsers compatibility reasons.
We use the X-XSS-Protection<https://owasp.org/www-project-secure-headers/#x-xss-protection> header as follow: 1; mode=block.
Is it possible using both headers together without them conflicting?
If the headers do conflict, which policy is stronger?

This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain materials protected by copyright or information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or agreement.

If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication by error, notify the sender immediately and delete this message immediately.

Thank you.

Received on Monday, 29 August 2022 13:56:37 UTC