[Enhancement] Remove X-XSS-Protection headers. (Deprecated header not used by browsers nowadays)
#4446
Labels
enhancement
Improvement of an existing feature
Comments
|
It seems that they removed these guidelines last month:
|
|
Also, yes, we want to support old browsers, so I think it's relevant? |
9 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your enhancement request related to a problem? Please describe.
No
Describe the solution you'd like
Remove X-XSS-Protection header.
invidious/src/invidious/routes/before_all.cr
Line 20 in e8a3698
Describe alternatives you've considered
Make use of CSP (which is already implemented in Invidious, so there is no problem here)
Additional context
I will not reinvent the wheel so I will just cite the sources.
"In modern browsers, X-XSS-Protection has been deprecated in favor of the Content-Security-Policy to disable the use of inline JavaScript. Its use can introduce XSS vulnerabilities in otherwise safe websites. This should not be used unless you need to support older web browsers that don’t yet support CSP. It is thus recommended to set the header as X-XSS-Protection: 0."
https://infosec.mozilla.org/guidelines/web_security#x-xss-protection
There is no need to use X-XSS-Protection unless we want to support the <2010 version of Chrome or the <2015 version of Microsoft Edge. Other browsers like firefox never implemeneted or make use of this header so it makes no sense to use it nowadays because no browser uses it.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
Recycled text from searxng/searxng#3171
The text was updated successfully, but these errors were encountered: