![](/style/images/good.png)
![](/style/images/bad.png)
Change default `X-XSS-Protection` header to '0' by csutter · Pull Request #41769...
source link: https://github.com/rails/rails/pull/41769
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
New issue
Change default X-XSS-Protection
header to '0'
#41769
Conversation
Summary
This header has been deprecated and the XSS auditor it triggered has been removed from all major modern browsers (in favour of Content Security Policy) that implemented this header to begin with (Firefox never did).
OWASP suggest setting this header to '0' to disable the default behaviour on old browsers as it can introduce additional security issues.
Added the new behaviour as a framework default from Rails 7.0.
Some other resources discussing this header and why it should be set to '0':
👍🏽 this make sense for all new apps but existing apps should decide if they want to change the value or not. So I think we should introduce the new value behind a configuration flag that is default in Rails 7.0 but for any other Rails version we keep the behavior and ask people to change the config to match Rials 7.0 in the new_frameworks_default
file. Can you change your PR to reflect that plan?
@rafaelfranca Thanks for the feedback! I've updated the change to be a defaults change instead, starting at 7.0
.
I've considered having a specific configuration flag for this change, but that felt a bit strange – we'd have to start merging things into the default default_headers
hash, and if users set their own hash we wouldn't want to override it. So I've made it set a new default for the whole hash.
This way we could maybe also add some additional headers/change existing headers for Rails 7.0 to reflect current best practice, and do it all in one go?
@csutter Could you rebase please?
Also, copying the important part from that page since the link doesn't go directly to it for those curious:
X-XSS-Protection: Deprecated.
Warning: The X-XSS-Protection header has been deprecated by modern browsers and its use can introduce additional security issues on the client side. As such, it is recommended to set the header as X-XSS-Protection: 0 in order to disable the XSS Auditor, and not allow it to take the default behavior of the browser handling the response. Please use Content-Security-Policy instead.
@rafaelfranca @zzak I've given this another rebase - would love to see it make it into 7.0!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
No one assigned
None yet
No milestone
Successfully merging this pull request may close these issues.
None yet
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK