New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 686754 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Jan 2017
Cc:
mkwst@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Reflected Xss

Reported by calderon...@gmail.com, Jan 30 2017 
VULNERABILITY DETAILS
Unrecognized Content-Security-Policy directive

VERSION
Chrome Version: [56.0.2924.76] + [stable, beta, or dev]
Operating System: [Windows 7]

REPRODUCTION CASE
https://www.paypal.com/myaccount/home

Comment 1 by dominickn@chromium.org, Jan 30 2017

Cc: mkwst@chromium.org
Components: Blink>SecurityFeature
Status: WontFix (was: Unconfirmed)
The 'reflected-css' directive has been removed from Chrome as no other browser will ship it and its functionality is subsumed by the X-XSS-Protection header. See https://bugs.chromium.org/p/chromium/issues/detail?id=657737

Comment 2 by mkwst@chromium.org, Jan 30 2017 

(Note that it wasn't just "no other browser will ship it": `reflected-xss` was explicitly removed from the CSP2 recommendation and CSP3 draft. It's just not a thing anymore.)
Project Member

Comment 3 by sheriffbot@chromium.org, May 9 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment