[Webkit-unassigned] [Bug 27312] [XSSAuditor] Add support for header X-XSS-Protection
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Sep 23 19:25:35 PDT 2009
https://bugs.webkit.org/show_bug.cgi?id=27312
--- Comment #2 from Adam Barth <abarth at webkit.org> 2009-09-23 19:25:34 PDT ---
Sam, Maciej, and I discussed this on IRC just now. Instead of re-using the IE8
control header, I think we should create our own header with three states:
1) Not present
2) X-XSS-Auditor-Options: ignore
3) X-XSS-Auditor-Options: fullpageblock
In state (1), we should keep doing what we do now. In state (2), we should
disable the XSSAuditor for that page. In state (3), we should stop rendering
the page and show an error message (you can see an example of how to do this
with the X-Frame-Options logic).
I don't think we should worry about header injection issues at this point. The
auditor doesn't cover every vulnerability anyway. The number of XSS + header
injections should be relatively low. If this turns out to be a big problem, we
can always add that feature later.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list