Deprecate `reflected-xss` CSP directive.

Feature: Deprecate `reflected-xss` CSP directive. (removed)

Early drafts of CSP2 contained a `reflected-xss` directive, which is little more than syntactic sugar for the `X-XSS-Protection` header. It offered no additional functionality beyond that header, just a better syntax. I shipped our implementation as part of shipping CSP2 (https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/wToP6b04zVE/imuPatGy3awJ). I should have undone that in 2015 when we dropped the directive from the CR draft. I'd like to undo it now.

Specification

Established standard

Status in Chromium

Blink components: SecurityFeature

Removed (tracking bug) in:

Chrome for desktop release 56
Chrome for Android release 56
Android WebView release 56

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

Firefox: No signal
Edge: No signal
Safari: No signal
Web Developers: No signals

Owner

mkwst@chromium.org

Last updated on 2020-11-09