[ACTION-99] CSP 1.1: An initial pass at subsuming X-XSS-Protection.
authorMike West <mkwst@google.com>
Sat, 17 Nov 2012 14:30:25 +0100
changeset 173a33c0305a6bf
parent 172 4cb029780165
child 174 256c3035154c
[ACTION-99] CSP 1.1: An initial pass at subsuming X-XSS-Protection.

This is a first pass at subsuming X-XSS-Protection's functionality in CSP 1.1.
I've specced it out as a new directive, 'reflected-xss', with three keyword
values: "'allow'", "'block'", and "'filter'".

It's marked "experimental" for a reason; this is an untested strawman to kick
off discussion. :)
csp-specification.dev.html
     1.1 --- a/csp-specification.dev.html	Sat Nov 17 11:07:48 2012 +0100
     1.2 +++ b/csp-specification.dev.html	Sat Nov 17 14:30:25 2012 +0100
     1.3 @@ -1675,6 +1675,48 @@
     1.4        </section>
     1.5  
     1.6        <section>
     1.7 +        <h4><code>reflected-xss</code> (Experimental)</h4>
     1.8 +        <p>The <code>reflected-xss</code> directive instructs a user agent
     1.9 +        to active or disactivate any heuristics used to filter or block
    1.10 +        reflected cross-site scripting attacks. The syntax for the name and
    1.11 +        value of the directive are described by the following ABNF grammar:</p>
    1.12 +<pre>
    1.13 +directive-name    = "reflected-xss"
    1.14 +directive-value   = "'allow'" / "'block'" / "'filter'"
    1.15 +</pre>
    1.16 +        <p>A user agent with support for XSS protection MUST enforce this
    1.17 +        directive as follows:</p>
    1.18 +        <ul>
    1.19 +          <li>If the value of the directive is <code>'allow'</code>, the user
    1.20 +          agent MUST disable its active protections against reflected cross-site
    1.21 +          scripting attacks.</li>
    1.22 +          <li>If the value of the directive is <code>'filter'</code>, the user
    1.23 +          agent MUST enable its active protections against reflected cross-site
    1.24 +          scripting attacks. This might result in filtering script that is believed to be
    1.25 +          reflected being filtered or selectively blocking script execution.</p>
    1.26 +          <li>If the value of the directive is <code>'block'</code>, the user
    1.27 +          agent MUST stop rendering the protected resource upon detection of
    1.28 +          reflected script, and instead act as though it received an empty
    1.29 +          <a href="https://tools.ietf.org/html/rfc2616#section-10.4.1">HTTP
    1.30 +          400 response</a> for the protected resource itself.</li>
    1.31 +        </ul>
    1.32 +
    1.33 +        <section class="informative">
    1.34 +          <h5>Relationship to <code>X-XSS-Protection</code></h5>
    1.35 +          <p>This directive is meant to subsume the functionality provided by
    1.36 +          the propriatary <code>X-XSS-Protection</code> HTTP header which is
    1.37 +          supported by a number of user agents. Roughly speaking:</p>
    1.38 +          <ul>
    1.39 +            <li><code>reflected-xss 'allow'</code> is equivalent to
    1.40 +            <code>X-XSS-Protection: 0</code></li>
    1.41 +            <li><code>reflected-xss 'protect'</code> is equivalent to
    1.42 +            <code>X-XSS-Protection: 1</code></li>
    1.43 +            <li><code>reflected-xss 'block'</code> is equivalent to
    1.44 +            <code>X-XSS-Protection: 1; mode=block</code></li>
    1.45 +          </ul>
    1.46 +        </section>
    1.47 +      </section>
    1.48 +      <section>
    1.49          <h4><code>report-uri</code></h4>
    1.50  
    1.51          <p>The <code>report-uri</code> directive specifies a URI to which the