<html>

    <head>

      <base href="https://bugs.webkit.org/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - CSP: Remove experimental directive reflected-xss"

   href="https://bugs.webkit.org/show_bug.cgi?id=156554">156554</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>CSP: Remove experimental directive reflected-xss

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>Unclassified

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>WebKit

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>WebKit Nightly Build

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>Normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P2

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>WebCore Misc.

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>webkit-unassigned&#64;lists.webkit.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>dbates&#64;webkit.org

          </td>

        </tr></table>

      <p>

        <div>

        <pre>The Content Security Policy directive reflected-xss was removed from the Content Security Policy Level 2 spec., &lt;<a href="https://w3c.github.io/webappsec-csp/2/">https://w3c.github.io/webappsec-csp/2/</a>&gt; (Editor's Draft, 29 August 2015). This directive was considered experimental and was guarded by a run-time flag that was never enabled by default.

For completeness, the directive reflected-xss appeared in the Content Security Policy 1.1 spec, &lt;<a href="http://www.w3.org/TR/2013/WD-CSP11-20130604/">http://www.w3.org/TR/2013/WD-CSP11-20130604/</a>&gt;, was mentioned as &quot;at-risk, and may be dropped during the CR period&quot; in an early revision of the Content Security Policy Level 2 spec., &lt;<a href="https://www.w3.org/TR/2014/WD-CSP2-20140703/">https://www.w3.org/TR/2014/WD-CSP2-20140703/</a>&gt;, and was subsequently removed in &lt;<a href="https://www.w3.org/TR/2015/CR-CSP2-20150219/">https://www.w3.org/TR/2015/CR-CSP2-20150219/</a>&gt;.</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are the assignee for the bug.</li>

      </ul>

    </body>

</html>