From 814d990604ccc4968a259d261866a13802b41461 Mon Sep 17 00:00:00 2001
From: Mike West <mkwst@chromium.org>
Date: Thu, 12 Jun 2014 09:06:41 +0200
Subject: [PATCH] CSP: Remove 'reflected-xss' from <meta> elements.

---
 specs/content-security-policy/index.src.html | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/specs/content-security-policy/index.src.html b/specs/content-security-policy/index.src.html
index 45e05c61..397ca82c 100644
--- a/specs/content-security-policy/index.src.html
+++ b/specs/content-security-policy/index.src.html
@@ -302,9 +302,9 @@ <h3 id="delivery-html-meta-element">
           <li>Let <var>directive-set</var> be the result of
           <a title="parse the policy">parsing <var>policy</var></a>.</li>
 
-          <li>Remove all occurrences of <code><a>report-uri</a></code> and
-          <code><a>sandbox</a></code> directives from
-          <var>directive-set</var>.</li>
+          <li>Remove all occurrences of <code><a>reflected-xss</a></code>,
+          <code><a>report-uri</a></code>, and <code><a>sandbox</a></code>
+          directives from <var>directive-set</var>.</li>
 
           <li>Enforce each of the <a>directives</a> in <var>directive-set</var>,
           as <a href="#sec-directives">defined for each directive type</a>.</li>
@@ -2516,6 +2516,10 @@ <h3 id="directive-reflected-xss"><code>reflected-xss</code></h3>
     scripting attacks detect or prevent script execution, the user agent
     MUST <a>report a violation</a>.
 
+    Note: The <code>reflected-xss</code> directive will be ignored if
+    contained within a
+    <a href="#delivery-html-meta-element"><code>meta</code> element</a>.
+
     <section class="informative">
       <h4 id="reflected-xss-and-x-xss-protection">
         Relationship to <code>X-XSS-Protection</code>