Changed X-XSS-Protection to follow OWASP standards due to deprecation. #5298
Conversation
pull-request-size
bot
added
the
size/XS
|
|
LiamRiddell
changed the title
|
Seems reasonable to me although it would also be good to check the "legacy browsers" list and ensure it's indeed very old version with very little or no usage in real world. |
|
Agreed, I believe we could potentially use |
|
Do we need to replace X-XSS-Protection with CSP? https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP |
|
@LiamRiddell Would you please add a changelog entry and replace |
cognifloyd
added
status:needs changes
status:needs cla
|
@cognifloyd Hi Jacob, apologies. You want me to add a new changelog entry in the "CHANGELOG.rst" file in the root directory of the project? Best, Liam. |
|
Correct |
Do you want me to add it under the "in development" change log? |
|
Yes. Then when we cut a release, that section gets renamed to the version number and we add a new in development section. |
Perfect, please review the changes. Sorry again for the delay! |
Yes, if possible that is standard practice to mitigate against XSS. However, in some apps it may not be a simple change as the blast radius of blocking resources based on allow-list could cause issues across the app. |
cognifloyd
removed
the
status:needs cla
|
I'm not sure why CircleCI isn't running this PR. I'm going to close and reopen to trigger it (hopefully) |
5 participants
Modified the
conf/nginx/st2.confto disable theX-XSS-Protectionfunctionality in order to align with the OWASP standards. As most browser vendors have deprecated or removed this feature due to the fact it can introduce additional security issues. Please view the following sources:OWASP:
Mozilla Developer Network Web Docs:
References:
OWASP - https://owasp.org/www-project-secure-headers/#x-xss-protection
MDN - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection