-
-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider disabling X-XSS-Protection by default #25
Comments
@EvanHahn yep definitely up for updating the library to whatever the current best practices are. Looking through the discussions, instead of it being removed entirely it sounds like the header should be set to |
Exactly. Continue to set the header, but set its value to BTW, if there are other things I can help with as a maintainer of a similar module, let me know. My email is me@evanhahn.com. |
Would you like me to make a pull request for this? |
@EvanHahn it's on my todo list but if you want to take it on that would be awesome! |
Sounds good!
I'll try to get to this in the next month. Feel free to get started before me.
|
I haven't made any changes yet, but |
@EvanHahn How are you installing Swift and which OS are you on? And what's the error. If you're on macOS and haven't installed Xcode it won't work unfortunately. (There's some legacy stuff to separate out the old Objective-C runtime which is used on macOS instead of the Swift runtime for tests). You could try Docker or just let CI sort it out. If you're not on macOS then I should be able to work out what's going on with the error |
I'm on macOS and I do have Xcode installed. I'll grab the errors for you when I'm next at a computer. |
A lot of ambiguous usages:
|
@EvanHahn looks like newer versions of the compiler were being more strict about duplicate symbols. I've pushed an update to fix all these and updated the branch to |
That solved it! Thank you. |
I'll have a patch for this tomorrow. |
Surprisingly, [`X-XSS-Protection` is safer when disabled][0], and browsers are dropping support for it as a result. Because it's less safe to enable the filter, this change sets the default (and only) value to `0`, instead of `1; mode=block`. This is a breaking change. See [issue brokenhandsio#25][1]. [0]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection [1]: brokenhandsio#25
Made a pull request (#26). Feedback welcome! |
Surprisingly, [`X-XSS-Protection` is safer when disabled][0], and browsers are dropping support for it as a result. Because it's less safe to enable the filter, this change sets the default (and only) value to `0`, instead of `1; mode=block`. This is a breaking change. See [issue brokenhandsio#25][1]. [0]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection [1]: brokenhandsio#25
I maintain a similar module for Node.js and decided to disable the
X-XSS-Protection
header based on discussion here: helmetjs/helmet#230. In short, it seems to be safer to disable it.This would probably be a breaking change, but is this something you would consider for this package?
The text was updated successfully, but these errors were encountered: