Update X-XSS-Protection recommendation #53711
Closed
+8
−8
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
MichaIng
requested review from
artonge,
skjnldsv and
yemkareems
and removed request for
a team
MichaIng
added
3. to review
4 tasks
|
Just found #53476 which addresses pretty much the same, and probably in a more consequent way. Keeping the check for this ancient header which is not supported anymore by any browser since 2019, doesn't really make sense. And OWASP also suggests to just not set it at all, as alternative to explicitly disabling XSS filtering. |
While `1; mode=block` was seen as the most secure value for this header, some years ago, after possible side-channel attacks have become known, this turned towards `0` being the best-practice value, disabling XSS filtering entirely for those old browsers who still support it. MDN web docs give some explanation: https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-XSS-Protection#security_considerations The OWASP cheat sheet recommends `0`: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#x-xss-protection Here the related discussion when this recommendation was updated: OWASP/CheatSheetSeries#376 A Stack Overflow question underlines the clear recommendation, adding some more details: https://stackoverflow.com/questions/9090577 Since `1; mode=block` is not a large security risk, it affects only very old browsers, and a changed recommendation will (sadly) trigger a lot of issues/topics in forum and GitHub, the old value however is allowed to pass the check. So to pass the check, either page blocking needs to be enabled along with XSS filtering, or XSS filtering needs to be disabled. The warning however will always suggest to disable it. Signed-off-by: MichaIng <micha@dietpi.com>
MichaIng
force-pushed
the
enh/xss-protection-check
branch
from
bcc49fb to
9160fdc
Compare
MichaIng
added
2. developing
5 tasks
|
After sleeping a night over it and another thought, I am closing this PR in favor or #53476. If for whatever reason a majority thinks it makes more sense to keep the check for now, just accepting |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
X-XSS-Protectionrecommendation is deprecated #37154Summary
While
1; mode=blockwas seen as the most secure value for this header, some years ago, after possible side-channel attacks have become known, this turned towards0being the best-practice value, disabling XSS filtering entirely for those old browsers who still support it.MDN web docs give some explanation: https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-XSS-Protection#security_considerations
The OWASP cheat sheet recommends
0: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#x-xss-protectionHere the related discussion when this recommendation was updated: OWASP/CheatSheetSeries#376
A Stack Overflow question underlines the clear recommendation, adding some more details: https://stackoverflow.com/questions/9090577
Since
1; mode=blockis not a large security risk, it affects only very old browsers, and a changed recommendation will (sadly) trigger a lot of issues/topics in forum and GitHub, the old value however is allowed to pass the check. So to pass the check, either page blocking needs to be enabled along with XSS filtering, or XSS filtering needs to be disabled. The warning however will always suggest to disable it.TODO
.htaccessChecklist