Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove X-XSS-Protection header from defaults #44

Closed
GaProgMan opened this issue Jul 22, 2019 · 1 comment · Fixed by #55
Closed

Remove X-XSS-Protection header from defaults #44

GaProgMan opened this issue Jul 22, 2019 · 1 comment · Fixed by #55
Labels
branch required enhancement help wanted

Comments

@GaProgMan
Copy link
Owner

GaProgMan commented Jul 22, 2019
edited

Description

As the Chromium team have announced their plan to deprecate the XSSAuditor in Chrome, along with it having been removed from Edge in October, 2018, the X-XSS-Protection header should be removed from the default builder. However, since legacy browsers still support the header, it should still be possible to add the header via an extension method.

Notes for Implementers

Removing UseXSSProtection() from the BuildDefaultConfiguration extension method will get us part way to fixing this issue.
@GaProgMan GaProgMan mentioned this issue Oct 23, 2019
Merged
@GaProgMan
Copy link
Owner Author

GaProgMan commented Oct 23, 2019
edited

Rationale in fix:

The UseXSSProtection() extension method is still available, but simply removed from the default builder. So consumers can still add this to their generated headers by calling the above extension method.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
branch required enhancement help wanted
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

XSS Protection header has been removed from the default headers GaProgMan/OwaspHeaders.Core
1 participant
@GaProgMan