Opened 3 years ago
Closed 3 years ago
#32678 closed Cleanup/optimization (fixed)
Remove SECURE_BROWSER_XSS_FILTER setting (X-XSS-Protection header support)
| Reported by: | Tim Graham | Owned by: | Tim Graham |
|---|---|---|---|
| Component: | HTTP handling | Version: | dev |
| Severity: | Normal | Keywords: | security, xss |
| Cc: | Triage Stage: | Ready for checkin | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | yes | UI/UX: | no |
Description
As proposed on django-developers, remove this setting and its functionality without a deprecation.
Django's docs says, "Modern browsers don’t honor X-XSS-Protection HTTP header anymore. Although the setting offers little practical benefit, you may still want to set the header if you support older browsers."
https://docs.djangoproject.com/en/3.2/ref/settings/#secure-browser-xss-filter
According to Mozilla's docs, the header is supported by IE8 and Safari.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
In Django 3.0, the system check that suggested using this setting was removed (#30680).
Change History (4)
comment:1 by , 3 years ago
| Has patch: | set |
|---|
comment:2 by , 3 years ago
| Easy pickings: | set |
|---|---|
| Keywords: | security xss added |
| Triage Stage: | Unreviewed → Accepted |
comment:3 by , 3 years ago
| Triage Stage: | Accepted → Ready for checkin |
|---|
Note:
See TracTickets
for help on using tickets.
PR