[Webkit-unassigned] [Bug 27312] [XSSAuditor] Add support for header X-XSS-Protection

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sat Jan 30 11:05:10 PST 2010


--- Comment #14 from Daniel Bates <dbates at webkit.org>  2010-01-30 11:05:09 PST ---
Will update the patch. By the way, do you have a reference for the quote?

(In reply to comment #13)
> To be clear, here are the exact semantics we want:
> [[
> We simply look at the first non-whitespace character of the value of the first
> X-XSS-Protection response header.  If it's '0', we disable protection. If it's
> '1', we enable protection. We ignore the rest of the line, although if the
> value is longer than 16 characters, we ignore the whole thing.
> ]]
> So, for 12, we'd want that if the first two characters are "12" then we turn on
> the full page block regardless of what the rest of the header is (as long as
> it's less than or equal to 16 characters).  Crazy, I know.

Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list