How we built it

Deprecate `reflected-xss` CSP directive. (removed)

Early drafts of CSP2 contained a `reflected-xss` directive, which is little more than syntactic sugar for the `X-XSS-Protection` header. It offered no additional functionality beyond that header, just a better syntax. I shipped our implementation as part of shipping CSP2 (https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/wToP6b04zVE/imuPatGy3awJ). I should have undone that in 2015 when we dropped the directive from the CR draft. I'd like to undo it now.

Specification

Established standard

Status in Chromium

Removed (launch bug) in:

  • Chrome for desktop release 56
  • Chrome for Android release 56
  • Android WebView release 56
  • Opera release 43
  • Opera for Android release 43

Consensus & Standardization

  • No public signals
  • No public signals
  • No public signals
  • No signals

Owner

Last updated on 2016-10-20