I'm at least 90% sure that the following is a result of Chrome's implementation of W3C's CSP standard, but I thought that it'd be best to double down and make sure.
I'm currently in the process of implementing a strict content security policy for a client, and I've run into the following policy directive complications on Chrome 66:
Unrecognized Content-Security-Policy directive 'disown-opener'.
Unrecognized Content-Security-Policy directive 'reflected-xss'.
Unrecognized Content-Security-Policy directive 'referrer'.
Again, I'm sure this is a standards issue (as I'm using MDN’s CSP documentation). If this is the case, can anyone direct me to competing or substituting directives?
Unrecognized Content-Security-Policy directive 'reflected-xss'
The reflected-xss directive was removed from the CSP spec in 2016. But you can use the X-XSS-Protection header to get exactly the same effect reflected-xss was meant for.
Unrecognized Content-Security-Policy directive 'referrer'.
The referrer directive was dropped long ago. Use the Referrer-Policy header instead.
Unrecognized Content-Security-Policy directive 'disown-opener'
Use rel=noopener on any external links. It’s supported in all modern browsers.