Intent to Deprecate and Remove: The `reflected-xss` CSP directive.

[Mike West]

# Eng

mk...@chromium.org

# Summary

Early drafts of CSP2 contained a `reflected-xss` directive, which is little more than syntactic sugar for the `X-XSS-Protection` header. It offered no additional functionality beyond that header, just a better syntax. I shipped our implementation as part of shipping CSP2 (https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/wToP6b04zVE/imuPatGy3awJ). I should have undone that in 2015 when we dropped the directive from the CR draft. I'd like to undo it now.

# Motivation

We removed the directive from the spec. No other browser is going to ship the directive. We should stop shipping it too, as it complicates our implementation and could confuse developers.

# Compatibility Risk

1. No other browser ships this directive or plans to do so. Removing it will align our behavior with the rest of the web.

2. This feature replicated functionality in `X-XSS-Protection`, which other browsers do support. We never dropped support for that directive, which means that developers who wanted to change the XSS Auditor's behavior in Safari, Opera, IE, or Edge would have needed to send that header as well.

3. The major risk is that a developer who wished to disable the XSS Auditor does so only via this directive, and not via `X-XSS-Protection`, meaning that they get opted back into filtering mode, which might make their application vulnerable to some attack vectors. I think this is quite unlikely on its face due to the lack of browser support for the directive (https://www.openfuture.org/ is the only page in httparchive that is in this situation), and is further mitigated by the fact that we'll be flipping our default from filter to block in the very near future.

# Alternatives

`X-XSS-Protection`.

# Usage Information

We don't have a metric for this in particular. 

# Tracking bug

https://bugs.chromium.org/p/chromium/issues/detail?id=657737

# Feature Dashboard

https://www.chromestatus.com/feature/5769374145183744

# Requesting approval to remove?

Yes.

-mike

[Jochen Eisinger]

lgtm1

[Philip Jägenstedt]

lgtm2

Have you tried reaching out to openfuture.org?

As for deprecation, it would be nice if either any unknown directives result in a console message, or if this had a specific message explaining to use X-XSS-Protection instead, whichever is easier to implement.

[Mike West]

On Thu, Oct 20, 2016 at 11:24 AM, Philip Jägenstedt <foo...@chromium.org> wrote:

Have you tried reaching out to openfuture.org?

https://twitter.com/mikewest/status/789035801845829632 :)

 

As for deprecation, it would be nice if either any unknown directives result in a console message, or if this had a specific message explaining to use X-XSS-Protection instead, whichever is easier to implement.

We already send a warning to the console for unrecognized directives, something like "Unrecognized Content-Security-Policy directive 'whatever'."

 

-mike

[Philip Jägenstedt]

Ah, well that's great. Now if people search for that they'll probably end up in this thread, and figure out that they should use X-XSS-Protection, as intended.

[Chris Harrelson]

LGTM3

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.