Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

X-XSS-Protection issues #14

Closed
stanley101music opened this issue Nov 16, 2023 · 1 comment
Closed

X-XSS-Protection issues #14

stanley101music opened this issue Nov 16, 2023 · 1 comment
Assignees
@rfc-st
Labels
enhancement New feature or request

Comments

@stanley101music
Copy link

stanley101music commented Nov 16, 2023
edited
Loading

According to OWASP Secure Headers Project, the X-XSS-Protection header is deprecated.

Although I didn't find a formal RFC or document saying it's deprecated, The caniuse shows that almost all modern browsers are not supporting this HTTP header, and MDN also mentioned that this is non-standard and recommends using Content-Security-Policy instead.

Perhaps X-XSS-Protection should have the issue as Deprecated Header in addition to Unsafe Value and Duplicated Values

P.S. There might be a typo In insecure.txt, where v is lower case in Content-Security-Policy: Incorrect values and others are Values
@rfc-st rfc-st self-assigned this Nov 16, 2023
@rfc-st rfc-st added the enhancement New feature or request label Nov 16, 2023
rfc-st added a commit that referenced this issue Nov 16, 2023
@rfc-st
Feature: New insecure check (X-XSS-Protection: Deprecated Header))
1c3c3dc 
#14
@rfc-st
Copy link
Owner

rfc-st commented Nov 16, 2023

Hi!,

You're absolutely right: it's time for 'humble' to clearly warn that X-XSS-Protection is deprecated (it might make some sense in older browsers that don't support CSP, but ironically enabling this header -with values other than '0'- can introduce XSS vulnerabilities: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection).

Added new check in: 1c3c3dc

I have also fixed the typo in the insecure.txt file.

Thank you!.

Best regards,

@rfc-st rfc-st closed this as completed Nov 16, 2023
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rfc-st rfc-st

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rfc-st @stanley101music