From a393d4af01d6df703711e64510926181c699e6b4 Mon Sep 17 00:00:00 2001
From: Joe Rafaniello <jrafanie@gmail.com>
Date: Fri, 20 Sep 2024 10:38:08 -0400
Subject: [PATCH] Disable x-xss-protection as it's the defaults now

Both rails and secure header are now shipping with 0 by default.

See: https://www.github.com/github/secure_headers/issues/439
---
 config/application.rb                 | 3 ---
 config/initializers/secure_headers.rb | 4 +++-
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/config/application.rb b/config/application.rb
index 63266f79301..824274d2767 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -118,9 +118,6 @@ class Application < Rails::Application
     # https://github.com/rails/rails/blob/d437ae311f1b9dc40b442e40eb602e020cec4e49/railties/lib/rails/application/configuration.rb#L92
     config.load_defaults 7.0
 
-    # TODO: this is the only change we had from defaults in 7.0.  See secure_headers.rb.  It's 0 in defaults.
-    config.action_dispatch.default_headers["X-XSS-Protection"] = "1; mode=block"
-
     # TODO: Find and fixed any deprecated behavior.  Opt in later.
     config.active_support.remove_deprecated_time_with_zone_name = false
     config.active_support.disable_to_s_conversion = false
diff --git a/config/initializers/secure_headers.rb b/config/initializers/secure_headers.rb
index b32bd7e9c28..12e9b40cb6c 100644
--- a/config/initializers/secure_headers.rb
+++ b/config/initializers/secure_headers.rb
@@ -14,7 +14,9 @@
     #FYI, this was deprecated and disabled in rails 7.  Using content security policy is the desired behavior going forward:
     # https://github.com/rails/rails/commit/1f4714c3f798df227222f531141880b8e1b4170a
     # https://github.com/rails/rails/blob/d437ae311f1b9dc40b442e40eb602e020cec4e49/railties/lib/rails/application/configuration.rb#L227
-    config.x_xss_protection = "1; mode=block"
+    # Disable x-xss-protection as it's being dropped by other big stakeholders for legitimate security reasons:
+    # https://github.com/github/secure_headers/issues/439
+    config.x_xss_protection = "0"
     config.referrer_policy = "no-referrer-when-downgrade"
     # Content-Security-Policy
     # Need google fonts in fonts_src for https://fonts.googleapis.com/css?family=IBM+Plex+Sans+Condensed%7CIBM+Plex+Sans:400,600&display=swap (For carbon-charts download)