X-XSS-Protection: 0 is recommended by Mozilla and Google

[DavidOsipov]

Currently, Mozilla and Google do not recommend setting X-XSS-Protection to enabled state due to the fact that the XSS auditor can even create new XSS vulnerabilities in otherwise secure websites. X-XSS-Protection: 0 is preferred.

[dvershinin]

I'm not sure what would be the best to do here:

Setting the X-XSS-Protection header to either 0 or 1; mode=block prevents vulnerabilities like the one described above

... while bringing back XSS vulnerability from having disabled XSS filtering. Then for best security, it would be sending 1; mode=block as they suggest.

These protections are largely unnecessary in modern browsers when sites implement a strong Content-Security-Policy that disables the use of inline JavaScript ('unsafe-inline').

Perhaps a better option would be sending X-XSS-Protection: 0 only if Content-Security-Policy is set in the response? (always sending either 0 or 1; mode=block doesn't seem like a great default).

[DavidOsipov]

Dead weight issue - closing.