Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Unrecognized content security policy directives: disown-opener, reflected-xss, referrer

Tags:

content-security-policy

I'm at least 90% sure that the following is a result of Chrome's implementation of W3C's CSP standard, but I thought that it'd be best to double down and make sure.

I'm currently in the process of implementing a strict content security policy for a client, and I've run into the following policy directive complications on Chrome 66:

Unrecognized Content-Security-Policy directive 'disown-opener'.
Unrecognized Content-Security-Policy directive 'reflected-xss'.
Unrecognized Content-Security-Policy directive 'referrer'.

Again, I'm sure this is a standards issue (as I'm using MDN’s CSP documentation). If this is the case, can anyone direct me to competing or substituting directives?

like image 775
Bradley Avatar asked May 29 '18 01:05

Bradley

People also ask

Can Content-Security-Policy prevent XSS?

Content Security Policy (CSP) is a W3C standard introduced to prevent Cross-Site Scripting (XSS), clickjacking and other attacks as the result of code injection in a web page. It is a computer security standard recommended by W3C Working Group which is supported by almost all major modern web browsers.

How do I disable Content-Security-Policy?

Click the extension icon to disable Content-Security-Policy header for the tab. Click the extension icon again to re-enable Content-Security-Policy header. Use this only as a last resort. Disabling Content-Security-Policy means disabling features designed to protect you from cross-site scripting.

What is Content-Security-Policy XSS?

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft, to site defacement, to malware distribution.

1 Answers

Unrecognized Content-Security-Policy directive 'reflected-xss'

The reflected-xss directive was removed from the CSP spec in 2016. But you can use the X-XSS-Protection header to get exactly the same effect reflected-xss was meant for.

Unrecognized Content-Security-Policy directive 'referrer'.

The referrer directive was dropped long ago. Use the Referrer-Policy header instead.

Unrecognized Content-Security-Policy directive 'disown-opener'

Use rel=noopener on any external links. It’s supported in all modern browsers except Edge.

like image 65
sideshowbarker Avatar answered Oct 12 '22 12:10

sideshowbarker
Sign in to Comment

Related questions

Javascript and CSP - best practices [closed]
How to remove unsafe inline code for Content Security Policy?
Antisamy or Content Security Policy or both to prevent XSS attack
Content Security Policy - Is it worth it?
Refused to frame 'https://api.xxx.jp/' because it violates the following Content Security Policy directive: "frame-src 'self'

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!