-
Notifications
You must be signed in to change notification settings - Fork 168
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Don't penalize disabled X-XSS-PROTECTION #432
Comments
The
Source: |
More on the holes opened by enabling X-XSS-Protection: it was successfully used to exploit a vulnerability in Facebook after which FB set X-XSS-Protection to 0. |
This header is also considered to be non-standard, since it's not supported in the majority of modern web browsers. |
Hi, Any news on this issue ? I will try to look into the code somewhere in the next few weeks but I'm not a dev so any help is appriciated Regards |
Still waiting on this? |
When you set : And when you click on X-XSS-Protection link :
🤯 |
Fixed in #520 |
The
X-XSS-PROTECTION
header is pretty much unused now [1][2]. The observatory shouldn't penalize websites forX-XSS-PROTECTION=0
.[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
[2] helmetjs/helmet#230
The text was updated successfully, but these errors were encountered: