Don't penalize disabled X-XSS-PROTECTION

[franziskuskiefer]

The X-XSS-PROTECTION header is pretty much unused now [1][2]. The observatory shouldn't penalize websites for X-XSS-PROTECTION=0.

[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
[2] helmetjs/helmet#230

[emilbjorklund]

The X-XSS-Protection header is now considered deprecated by the OWASP Secure Headers project, and the recommended setting is 0 - please consider not penalizing sites for following that guideline.

Warning: The X-XSS-Protection header has been deprecated by modern browsers and its use can introduce additional security issues on the client side. As such, it is recommended to set the header as X-XSS-Protection: 0 in order to disable the XSS Auditor, and not allow it to take the default behavior of the browser handling the response. Please use Content-Security-Policy instead.

Source:
— https://owasp.org/www-project-secure-headers/#x-xss-protection

[Seirdy]

More on the holes opened by enabling X-XSS-Protection: it was successfully used to exploit a vulnerability in Facebook after which FB set X-XSS-Protection to 0.

[vladimir-kazakov]

This header is also considered to be non-standard, since it's not supported in the majority of modern web browsers.

[ZeikoFr]

Hi,

Any news on this issue ?

I will try to look into the code somewhere in the next few weeks but I'm not a dev so any help is appriciated

Regards

[haleybe]

Still waiting on this?

[sbernard31]

When you set : X-XSS-Protection 0, you get :

And when you click on X-XSS-Protection link :
You can read :

In modern browsers, X-XSS-Protection has been deprecated in favor of the Content-Security-Policy to disable the use of inline JavaScript. Its use can introduce XSS vulnerabilities in otherwise safe websites. This should not be used unless you need to support older web browsers that don’t yet support CSP. It is thus recommended to set the header as X-XSS-Protection: 0.

🤯

[janbrasna]

Fixed in #520