CSP: Remove 'reflected-xss' from <meta> elements.

w3c · Jun 12, 2014 · 814d990 · 814d990
1 parent 2285189
commit 814d990
Showing 1 changed file with 7 additions and 3 deletions.
diff --git a/specs/content-security-policy/index.src.html b/specs/content-security-policy/index.src.html
@@ -302,9 +302,9 @@ <h3 id="delivery-html-meta-element">
           <li>Let <var>directive-set</var> be the result of
           <a title="parse the policy">parsing <var>policy</var></a>.</li>
 
-          <li>Remove all occurrences of <code><a>report-uri</a></code> and
-          <code><a>sandbox</a></code> directives from
-          <var>directive-set</var>.</li>
+          <li>Remove all occurrences of <code><a>reflected-xss</a></code>,
+          <code><a>report-uri</a></code>, and <code><a>sandbox</a></code>
+          directives from <var>directive-set</var>.</li>
 
           <li>Enforce each of the <a>directives</a> in <var>directive-set</var>,
           as <a href="#sec-directives">defined for each directive type</a>.</li>
@@ -2516,6 +2516,10 @@ <h3 id="directive-reflected-xss"><code>reflected-xss</code></h3>
     scripting attacks detect or prevent script execution, the user agent
     MUST <a>report a violation</a>.
 
+    Note: The <code>reflected-xss</code> directive will be ignored if
+    contained within a
+    <a href="#delivery-html-meta-element"><code>meta</code> element</a>.
+
     <section class="informative">
       <h4 id="reflected-xss-and-x-xss-protection">
         Relationship to <code>X-XSS-Protection</code>