Re: [CSP3] reflected XSS directive

Hello,

There should not be any conflicts between XSS protection and normal CSP. AFAIK the now deprecated XSS protection blocked HTTP responses that contain payloads reflected from its HTTP request. Having a strict CSP policy along that wouldn't conflict as CSP is in effect once the document loads which XSS protection prevents when its in effect.

Regards,
Abdul
________________________________
From: Harel Klopfer <Harel.Klopfer@hot.net.il>
Sent: Monday, August 29, 2022 2:44 PM
To: public-webappsec@w3.org <public-webappsec@w3.org>
Subject: [EXTERNAL] [CSP3] reflected XSS directive

You don't often get email from harel.klopfer@hot.net.il. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification>

Hello

I saw at the OWASP the reflected XSS directive for the CSP header (site: https://owasp.org/www-project-secure-headers/#content-security-policy<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fowasp.org%2Fwww-project-secure-headers%2F%23content-security-policy&data=05%7C01%7CAbdulrahman.Alqabandi%40microsoft.com%7C2e404e3fc0a84fcf14ec08da89c6769b%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637973783955982024%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C&sdata=2pR67gdHUezAQ%2BGzIBjJ8MDIiai76wEMx1hU68ZoDp8%3D&reserved=0>),

but I couldn’t find this directive at your site.

Is this directive still in use?

In our company, we want to better implement the CSP header,

but we don’t want to cancel the X-XSS-Protection<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fowasp.org%2Fwww-project-secure-headers%2F%23x-xss-protection&data=05%7C01%7CAbdulrahman.Alqabandi%40microsoft.com%7C2e404e3fc0a84fcf14ec08da89c6769b%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637973783955982024%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C&sdata=xzAH2bfd4T3lrXJ%2BfzGM9kg63Fvj9D5XtuIDQ3%2FfP0s%3D&reserved=0> header from older browsers compatibility reasons.

We use the X-XSS-Protection<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fowasp.org%2Fwww-project-secure-headers%2F%23x-xss-protection&data=05%7C01%7CAbdulrahman.Alqabandi%40microsoft.com%7C2e404e3fc0a84fcf14ec08da89c6769b%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637973783955982024%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C&sdata=xzAH2bfd4T3lrXJ%2BfzGM9kg63Fvj9D5XtuIDQ3%2FfP0s%3D&reserved=0> header as follow: 1; mode=block.

Is it possible using both headers together without them conflicting?

If the headers do conflict, which policy is stronger?

This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain materials protected by copyright or information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or agreement. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication by error, notify the sender immediately and delete this message immediately. Thank you.

Received on Monday, 29 August 2022 14:13:23 UTC