Opened 6 years ago
Closed 6 years ago
#30680 closed Cleanup/optimization (fixed)
Remove security.W007 check.
| Reported by: | Adam Johnson | Owned by: | Adnan Umer |
|---|---|---|---|
| Component: | Core (System checks) | Version: | dev |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | yes | UI/UX: | no |
Description
As discused in #30426, it seems that the X-Xss-Protection security header is no longer industry best practice, as major browsers are removing their XSS auditors and security professionals no longer recommend it:
- Scott Helme has stopped requiring it on SecurityHeaders.com - https://scotthelme.co.uk/security-headers-updates/
- Chrome has is removing their XSS Auditor - https://bugs.chromium.org/p/chromium/issues/detail?id=968591
- Edge already removed their XSS auditor
- This is all because the protection is minimal and the false positives tend to be damaging - https://frederik-braun.com/xssauditor-bad.html
As suggested by Ran on #30426, rather than enforce the setting SECURE_BROWSER_XSS_FILTER, we should actually be looking at removing the check security.W007 so users have one less thing to think about for a modern security posture.
Change History (5)
comment:1 by , 6 years ago
| Component: | Core (Other) → Core (System checks) |
|---|---|
| Summary: | Remove security.W007 check → Remove security.W007 check. |
| Triage Stage: | Unreviewed → Accepted |
| Type: | Uncategorized → Cleanup/optimization |
| Version: | 2.2 → master |
comment:2 by , 6 years ago
| Easy pickings: | set |
|---|
comment:3 by , 6 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
Note:
See TracTickets
for help on using tickets.