You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, Mozilla and Google do not recommend setting X-XSS-Protection to enabled state due to the fact that the XSS auditor can even create new XSS vulnerabilities in otherwise secure websites. X-XSS-Protection: 0 is preferred.
The text was updated successfully, but these errors were encountered:
Setting the X-XSS-Protection header to either 0 or 1; mode=block prevents vulnerabilities like the one described above
... while bringing back XSS vulnerability from having disabled XSS filtering. Then for best security, it would be sending 1; mode=block as they suggest.
These protections are largely unnecessary in modern browsers when sites implement a strong Content-Security-Policy that disables the use of inline JavaScript ('unsafe-inline').
Perhaps a better option would be sending X-XSS-Protection: 0 only if Content-Security-Policy is set in the response? (always sending either 0 or 1; mode=block doesn't seem like a great default).
Currently, Mozilla and Google do not recommend setting X-XSS-Protection to enabled state due to the fact that the XSS auditor can even create new XSS vulnerabilities in otherwise secure websites.
X-XSS-Protection: 0
is preferred.The text was updated successfully, but these errors were encountered: