Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable X-XSS-Protection filter, for safety #26

Merged
merged 1 commit into from
Apr 20, 2022
Merged

Disable X-XSS-Protection filter, for safety #26

merged 1 commit into from
Apr 20, 2022

Conversation

EvanHahn
Copy link
Contributor

Surprisingly, X-XSS-Protection is safer when disabled, and browsers are dropping support for it as a result. Because it's less safe to enable the filter, this change sets the default (and only) value to 0, instead of 1; mode=block.

This is a breaking change.

See #25.

@EvanHahn EvanHahn mentioned this pull request Apr 13, 2022
Closed
@0xTim 0xTim linked an issue Apr 13, 2022 that may be closed by this pull request
Consider disabling X-XSS-Protection by default #25
Closed
@0xTim
Copy link
Member

0xTim commented Apr 20, 2022

@EvanHahn looks like some tests are failing

@EvanHahn
Copy link
Contributor Author

I'll take a look.

@EvanHahn
Disable X-XSS-Protection filter, for safety
2900d3e 
Surprisingly, [`X-XSS-Protection` is safer when disabled][0], and
browsers are dropping support for it as a result. Because it's less safe
to enable the filter, this change sets the default (and only) value to
`0`, instead of `1; mode=block`.

This is a breaking change.

See [issue brokenhandsio#25][1].

[0]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
[1]: brokenhandsio#25
@EvanHahn
Copy link
Contributor Author

Should be fixed! My mistake.

@codecov
Copy link

codecov bot commented Apr 20, 2022

Codecov Report

Merging #26 (2900d3e) into main (82b5174) will not change coverage.
The diff coverage is 100.00%.

@@            Coverage Diff            @@
##              main       #26   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files           11        11           
  Lines          282       273    -9     
=========================================
- Hits           282       273    -9
Impacted Files Coverage Δ
Sources/VaporSecurityHeaders/SecurityHeaders.swift 100.00% <ø> (ø)
...rs/Configurations/XSSProtectionConfiguration.swift 100.00% <100.00%> (ø)
.../VaporSecurityHeaders/SecurityHeadersFactory.swift 100.00% <100.00%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 82b5174...2900d3e. Read the comment docs.

0xTim
0xTim approved these changes Apr 20, 2022
View reviewed changes
Copy link
Member

@0xTim 0xTim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@0xTim 0xTim merged commit c2bbfe0 into brokenhandsio:main Apr 20, 2022
@EvanHahn EvanHahn deleted the disable-xss-filter branch April 20, 2022 17:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@0xTim 0xTim 0xTim approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Consider disabling X-XSS-Protection by default
2 participants
@EvanHahn @0xTim