Intent to Deprecate and Remove: The `reflected-xss` CSP directive.

瀏覽次數:481 次
跳到第一則未讀訊息

Mike West

未讀,
2016年10月20日 上午5:14:012016/10/20
收件者:blink-dev
# Eng

# Summary
Early drafts of CSP2 contained a `reflected-xss` directive, which is little more than syntactic sugar for the `X-XSS-Protection` header. It offered no additional functionality beyond that header, just a better syntax. I shipped our implementation as part of shipping CSP2 (https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/wToP6b04zVE/imuPatGy3awJ). I should have undone that in 2015 when we dropped the directive from the CR draft. I'd like to undo it now.

# Motivation
We removed the directive from the spec. No other browser is going to ship the directive. We should stop shipping it too, as it complicates our implementation and could confuse developers.

# Compatibility Risk
1. No other browser ships this directive or plans to do so. Removing it will align our behavior with the rest of the web.

2. This feature replicated functionality in `X-XSS-Protection`, which other browsers do support. We never dropped support for that directive, which means that developers who wanted to change the XSS Auditor's behavior in Safari, Opera, IE, or Edge would have needed to send that header as well.

3. The major risk is that a developer who wished to disable the XSS Auditor does so only via this directive, and not via `X-XSS-Protection`, meaning that they get opted back into filtering mode, which might make their application vulnerable to some attack vectors. I think this is quite unlikely on its face due to the lack of browser support for the directive (https://www.openfuture.org/ is the only page in httparchive that is in this situation), and is further mitigated by the fact that we'll be flipping our default from filter to block in the very near future.

# Alternatives
`X-XSS-Protection`.

# Usage Information
We don't have a metric for this in particular. 

# Tracking bug

# Feature Dashboard

# Requesting approval to remove?
Yes.

-mike

Jochen Eisinger

未讀,
2016年10月20日 上午5:14:582016/10/20
收件者:Mike West、blink-dev
lgtm1

Philip Jägenstedt

未讀,
2016年10月20日 上午5:24:352016/10/20
收件者:Jochen Eisinger、Mike West、blink-dev
lgtm2

Have you tried reaching out to openfuture.org?

As for deprecation, it would be nice if either any unknown directives result in a console message, or if this had a specific message explaining to use X-XSS-Protection instead, whichever is easier to implement.

Mike West

未讀,
2016年10月20日 上午5:30:252016/10/20
收件者:Philip Jägenstedt、Jochen Eisinger、blink-dev
On Thu, Oct 20, 2016 at 11:24 AM, Philip Jägenstedt <foo...@chromium.org> wrote:
Have you tried reaching out to openfuture.org?

 
As for deprecation, it would be nice if either any unknown directives result in a console message, or if this had a specific message explaining to use X-XSS-Protection instead, whichever is easier to implement.

We already send a warning to the console for unrecognized directives, something like "Unrecognized Content-Security-Policy directive 'whatever'."
 
-mike

Philip Jägenstedt

未讀,
2016年10月20日 上午5:41:572016/10/20
收件者:Mike West、Jochen Eisinger、blink-dev
Ah, well that's great. Now if people search for that they'll probably end up in this thread, and figure out that they should use X-XSS-Protection, as intended.

Chris Harrelson

未讀,
2016年10月20日 下午1:03:062016/10/20
收件者:Philip Jägenstedt、Mike West、Jochen Eisinger、blink-dev
LGTM3

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

回覆所有人
回覆作者
轉寄
0 則新訊息