•  
      request #9960 Deprecated `reflected-xss` syntactic sugar ERROR in Chrome, Firefox, etc.
    Infos
    #9960
    Anton KULIK (d00AK)
    2017-02-21 11:08
    2017-02-14 17:41
    10255
    Details
    Deprecated `reflected-xss` syntactic sugar ERROR in Chrome, Firefox, etc.
    Early days `reflected-xss` syntactic sugar for `X-XSS-Protection` header is throwing error in browsers. Reason: deprecated from browsers in October 2016.
    Screenshot attached to this artifact.

    Refs:
    https://www.w3.org/TR/2014/WD-CSP11-20140211/#reflected-xss
    https://bugzilla.mozilla.org/show_bug.cgi?id=1045902
    https://bugs.chromium.org/p/chromium/issues/detail?id=657737

    Other
    9.4
    CentOS 6
    • [x] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Empty
    Closed
    2017-02-21
    Attachments
    References

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2017-02-20 18:36
    The removal of this directive is under review: gerrit #7696.

    After that I will open a request to improve our CSP.

    • Status changed from Verified to Under review
    User avatar
    Thomas Gerbet (tgerbet)2017-02-20 09:06
    Agreed, this directive is not present anymore in CSP3 and we should remove it. In fact we have a lot of work to do to make our CSP efficient.

    Thank you for taking the time to link to the bugs of Firefox and Chrome.

    • Status changed from New to Verified