Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider disabling X-XSS-Protection by default #25

Closed
EvanHahn opened this issue Mar 23, 2022 · 13 comments · Fixed by #26
Closed

Consider disabling X-XSS-Protection by default #25

EvanHahn opened this issue Mar 23, 2022 · 13 comments · Fixed by #26

Comments

@EvanHahn
Copy link
Contributor

I maintain a similar module for Node.js and decided to disable the X-XSS-Protection header based on discussion here: helmetjs/helmet#230. In short, it seems to be safer to disable it.

This would probably be a breaking change, but is this something you would consider for this package?
@0xTim
Copy link
Member

0xTim commented Mar 23, 2022

@EvanHahn yep definitely up for updating the library to whatever the current best practices are. Looking through the discussions, instead of it being removed entirely it sounds like the header should be set to X-XSS-Protection: 0 by default. Am I reading that right?

@EvanHahn
Copy link
Contributor Author

Exactly. Continue to set the header, but set its value to 0.

BTW, if there are other things I can help with as a maintainer of a similar module, let me know. My email is me@evanhahn.com.

@EvanHahn
Copy link
Contributor Author

Would you like me to make a pull request for this?

@0xTim
Copy link
Member

0xTim commented Mar 29, 2022

@EvanHahn it's on my todo list but if you want to take it on that would be awesome!

@EvanHahn
Copy link
Contributor Author

EvanHahn commented Mar 29, 2022 via email

@EvanHahn
Copy link
Contributor Author

EvanHahn commented Apr 9, 2022

I haven't made any changes yet, but swift test fails for me. I'm using Swift 5.6. Am I doing something wrong? (I'm relatively new to Swift so I probably am!)

@0xTim
Copy link
Member

0xTim commented Apr 10, 2022

@EvanHahn How are you installing Swift and which OS are you on? And what's the error. If you're on macOS and haven't installed Xcode it won't work unfortunately. (There's some legacy stuff to separate out the old Objective-C runtime which is used on macOS instead of the Swift runtime for tests). You could try Docker or just let CI sort it out.

If you're not on macOS then I should be able to work out what's going on with the error

@EvanHahn
Copy link
Contributor Author

I'm on macOS and I do have Xcode installed. I'll grab the errors for you when I'm next at a computer.

@EvanHahn
Copy link
Contributor Author

A lot of ambiguous usages:

/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Tests/VaporSecurityHeadersTests/HeaderTests.swift:44:67: error: ambiguous use of 'xContentTypeOptions'
        XCTAssertEqual(expectedXCTOHeaderValue, response.headers[.xContentTypeOptions].first)
                                                                  ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/.build/checkouts/vapor/Sources/Vapor/HTTP/Headers/HTTPHeaders+Name.swift:335:27: note: found this candidate
        public static let xContentTypeOptions = Name("X-Content-Type-Options")
                          ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Sources/VaporSecurityHeaders/SecurityHeaders+HeaderKey.swift:7:16: note: found this candidate
    static let xContentTypeOptions = HTTPHeaders.Name("X-Content-Type-Options")
               ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Tests/VaporSecurityHeadersTests/HeaderTests.swift:45:66: error: ambiguous use of 'contentSecurityPolicy'
        XCTAssertEqual(expectedCSPHeaderValue, response.headers[.contentSecurityPolicy].first)
                                                                 ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/.build/checkouts/vapor/Sources/Vapor/HTTP/Headers/HTTPHeaders+Name.swift:111:27: note: found this candidate
        public static let contentSecurityPolicy = Name("Content-Security-Policy")
                          ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Sources/VaporSecurityHeaders/SecurityHeaders+HeaderKey.swift:5:16: note: found this candidate
    static let contentSecurityPolicy = HTTPHeaders.Name("Content-Security-Policy")
               ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Tests/VaporSecurityHeadersTests/HeaderTests.swift:59:67: error: ambiguous use of 'xContentTypeOptions'
        XCTAssertEqual(expectedXCTOHeaderValue, response.headers[.xContentTypeOptions].first)
                                                                  ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/.build/checkouts/vapor/Sources/Vapor/HTTP/Headers/HTTPHeaders+Name.swift:335:27: note: found this candidate
        public static let xContentTypeOptions = Name("X-Content-Type-Options")
                          ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Sources/VaporSecurityHeaders/SecurityHeaders+HeaderKey.swift:7:16: note: found this candidate
    static let xContentTypeOptions = HTTPHeaders.Name("X-Content-Type-Options")
               ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Tests/VaporSecurityHeadersTests/HeaderTests.swift:60:66: error: ambiguous use of 'contentSecurityPolicy'
        XCTAssertEqual(expectedCSPHeaderValue, response.headers[.contentSecurityPolicy].first)
                                                                 ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/.build/checkouts/vapor/Sources/Vapor/HTTP/Headers/HTTPHeaders+Name.swift:111:27: note: found this candidate
        public static let contentSecurityPolicy = Name("Content-Security-Policy")
                          ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Sources/VaporSecurityHeaders/SecurityHeaders+HeaderKey.swift:5:16: note: found this candidate
    static let contentSecurityPolicy = HTTPHeaders.Name("Content-Security-Policy")
               ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Tests/VaporSecurityHeadersTests/HeaderTests.swift:74:67: error: ambiguous use of 'xContentTypeOptions'
        XCTAssertEqual(expectedXCTOHeaderValue, response.headers[.xContentTypeOptions].first)
                                                                  ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/.build/checkouts/vapor/Sources/Vapor/HTTP/Headers/HTTPHeaders+Name.swift:335:27: note: found this candidate
        public static let xContentTypeOptions = Name("X-Content-Type-Options")
                          ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Sources/VaporSecurityHeaders/SecurityHeaders+HeaderKey.swift:7:16: note: found this candidate
    static let xContentTypeOptions = HTTPHeaders.Name("X-Content-Type-Options")
               ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Tests/VaporSecurityHeadersTests/HeaderTests.swift:75:66: error: ambiguous use of 'contentSecurityPolicy'
        XCTAssertEqual(expectedCSPHeaderValue, response.headers[.contentSecurityPolicy].first)
                                                                 ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/.build/checkouts/vapor/Sources/Vapor/HTTP/Headers/HTTPHeaders+Name.swift:111:27: note: found this candidate
        public static let contentSecurityPolicy = Name("Content-Security-Policy")
                          ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Sources/VaporSecurityHeaders/SecurityHeaders+HeaderKey.swift:5:16: note: found this candidate
    static let contentSecurityPolicy = HTTPHeaders.Name("Content-Security-Policy")
               ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Tests/VaporSecurityHeadersTests/HeaderTests.swift:89:67: error: ambiguous use of 'xContentTypeOptions'
        XCTAssertEqual(expectedXCTOHeaderValue, response.headers[.xContentTypeOptions].first)
                                                                  ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/.build/checkouts/vapor/Sources/Vapor/HTTP/Headers/HTTPHeaders+Name.swift:335:27: note: found this candidate
        public static let xContentTypeOptions = Name("X-Content-Type-Options")
                          ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Sources/VaporSecurityHeaders/SecurityHeaders+HeaderKey.swift:7:16: note: found this candidate
    static let xContentTypeOptions = HTTPHeaders.Name("X-Content-Type-Options")
               ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Tests/VaporSecurityHeadersTests/HeaderTests.swift:90:66: error: ambiguous use of 'contentSecurityPolicy'
        XCTAssertEqual(expectedCSPHeaderValue, response.headers[.contentSecurityPolicy].first)
                                                                 ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/.build/checkouts/vapor/Sources/Vapor/HTTP/Headers/HTTPHeaders+Name.swift:111:27: note: found this candidate
        public static let contentSecurityPolicy = Name("Content-Security-Policy")
                          ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Sources/VaporSecurityHeaders/SecurityHeaders+HeaderKey.swift:5:16: note: found this candidate
    static let contentSecurityPolicy = HTTPHeaders.Name("Content-Security-Policy")
               ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Tests/VaporSecurityHeadersTests/HeaderTests.swift:101:40: error: ambiguous use of 'xContentTypeOptions'
        XCTAssertNil(response.headers[.xContentTypeOptions].first)
                                       ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/.build/checkouts/vapor/Sources/Vapor/HTTP/Headers/HTTPHeaders+Name.swift:335:27: note: found this candidate
        public static let xContentTypeOptions = Name("X-Content-Type-Options")
                          ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Sources/VaporSecurityHeaders/SecurityHeaders+HeaderKey.swift:7:16: note: found this candidate
    static let xContentTypeOptions = HTTPHeaders.Name("X-Content-Type-Options")
               ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Tests/VaporSecurityHeadersTests/HeaderTests.swift:109:53: error: ambiguous use of 'xContentTypeOptions'
        XCTAssertEqual("nosniff", response.headers[.xContentTypeOptions].first)
                                                    ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/.build/checkouts/vapor/Sources/Vapor/HTTP/Headers/HTTPHeaders+Name.swift:335:27: note: found this candidate
        public static let xContentTypeOptions = Name("X-Content-Type-Options")
                          ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Sources/VaporSecurityHeaders/SecurityHeaders+HeaderKey.swift:7:16: note: found this candidate
    static let xContentTypeOptions = HTTPHeaders.Name("X-Content-Type-Options")
               ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Tests/VaporSecurityHeadersTests/HeaderTests.swift:249:47: error: ambiguous use of 'contentSecurityPolicy'
        XCTAssertEqual(csp, response.headers[.contentSecurityPolicy].first)
                                              ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/.build/checkouts/vapor/Sources/Vapor/HTTP/Headers/HTTPHeaders+Name.swift:111:27: note: found this candidate
        public static let contentSecurityPolicy = Name("Content-Security-Policy")
                          ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Sources/VaporSecurityHeaders/SecurityHeaders+HeaderKey.swift:5:16: note: found this candidate
    static let contentSecurityPolicy = HTTPHeaders.Name("Content-Security-Policy")
               ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Tests/VaporSecurityHeadersTests/HeaderTests.swift:269:47: error: ambiguous use of 'contentSecurityPolicy'
        XCTAssertEqual(csp, response.headers[.contentSecurityPolicy].first)
                                              ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/.build/checkouts/vapor/Sources/Vapor/HTTP/Headers/HTTPHeaders+Name.swift:111:27: note: found this candidate
        public static let contentSecurityPolicy = Name("Content-Security-Policy")
                          ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Sources/VaporSecurityHeaders/SecurityHeaders+HeaderKey.swift:5:16: note: found this candidate
    static let contentSecurityPolicy = HTTPHeaders.Name("Content-Security-Policy")
               ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Tests/VaporSecurityHeadersTests/HeaderTests.swift:278:47: error: ambiguous use of 'contentSecurityPolicy'
        XCTAssertEqual(csp, response.headers[.contentSecurityPolicy].first)
                                              ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/.build/checkouts/vapor/Sources/Vapor/HTTP/Headers/HTTPHeaders+Name.swift:111:27: note: found this candidate
        public static let contentSecurityPolicy = Name("Content-Security-Policy")
                          ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Sources/VaporSecurityHeaders/SecurityHeaders+HeaderKey.swift:5:16: note: found this candidate
    static let contentSecurityPolicy = HTTPHeaders.Name("Content-Security-Policy")
               ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Tests/VaporSecurityHeadersTests/HeaderTests.swift:288:47: error: ambiguous use of 'contentSecurityPolicy'
        XCTAssertEqual(csp, response.headers[.contentSecurityPolicy].first)
                                              ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/.build/checkouts/vapor/Sources/Vapor/HTTP/Headers/HTTPHeaders+Name.swift:111:27: note: found this candidate
        public static let contentSecurityPolicy = Name("Content-Security-Policy")
                          ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Sources/VaporSecurityHeaders/SecurityHeaders+HeaderKey.swift:5:16: note: found this candidate
    static let contentSecurityPolicy = HTTPHeaders.Name("Content-Security-Policy")
               ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Tests/VaporSecurityHeadersTests/HeaderTests.swift:301:57: error: ambiguous use of 'contentSecurityPolicy'
        guard let cspResponseHeader = response.headers[.contentSecurityPolicy].first else {
                                                        ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/.build/checkouts/vapor/Sources/Vapor/HTTP/Headers/HTTPHeaders+Name.swift:111:27: note: found this candidate
        public static let contentSecurityPolicy = Name("Content-Security-Policy")
                          ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Sources/VaporSecurityHeaders/SecurityHeaders+HeaderKey.swift:5:16: note: found this candidate
    static let contentSecurityPolicy = HTTPHeaders.Name("Content-Security-Policy")
               ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Tests/VaporSecurityHeadersTests/HeaderTests.swift:306:65: error: cannot infer contextual base in reference to member 'utf8'
        guard let reportToJson = replacedCSPHeader.data(using: .utf8) else {
                                                               ~^~~~
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Tests/VaporSecurityHeadersTests/HeaderTests.swift:336:47: error: ambiguous use of 'contentSecurityPolicy'
        XCTAssertEqual(csp, response.headers[.contentSecurityPolicy].first)
                                              ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/.build/checkouts/vapor/Sources/Vapor/HTTP/Headers/HTTPHeaders+Name.swift:111:27: note: found this candidate
        public static let contentSecurityPolicy = Name("Content-Security-Policy")
                          ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Sources/VaporSecurityHeaders/SecurityHeaders+HeaderKey.swift:5:16: note: found this candidate
    static let contentSecurityPolicy = HTTPHeaders.Name("Content-Security-Policy")
               ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Tests/VaporSecurityHeadersTests/HeaderTests.swift:356:47: error: ambiguous use of 'contentSecurityPolicy'
        XCTAssertEqual(csp, response.headers[.contentSecurityPolicy].first)
                                              ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/.build/checkouts/vapor/Sources/Vapor/HTTP/Headers/HTTPHeaders+Name.swift:111:27: note: found this candidate
        public static let contentSecurityPolicy = Name("Content-Security-Policy")
                          ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Sources/VaporSecurityHeaders/SecurityHeaders+HeaderKey.swift:5:16: note: found this candidate
    static let contentSecurityPolicy = HTTPHeaders.Name("Content-Security-Policy")
               ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Tests/VaporSecurityHeadersTests/HeaderTests.swift:376:47: error: ambiguous use of 'contentSecurityPolicy'
        XCTAssertEqual(csp, response.headers[.contentSecurityPolicy].first)
                                              ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/.build/checkouts/vapor/Sources/Vapor/HTTP/Headers/HTTPHeaders+Name.swift:111:27: note: found this candidate
        public static let contentSecurityPolicy = Name("Content-Security-Policy")
                          ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Sources/VaporSecurityHeaders/SecurityHeaders+HeaderKey.swift:5:16: note: found this candidate
    static let contentSecurityPolicy = HTTPHeaders.Name("Content-Security-Policy")
               ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Tests/VaporSecurityHeadersTests/HeaderTests.swift:489:55: error: ambiguous use of 'contentSecurityPolicy'
        XCTAssertEqual(expectedCsp, response.headers[.contentSecurityPolicy].first)
                                                      ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/.build/checkouts/vapor/Sources/Vapor/HTTP/Headers/HTTPHeaders+Name.swift:111:27: note: found this candidate
        public static let contentSecurityPolicy = Name("Content-Security-Policy")
                          ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Sources/VaporSecurityHeaders/SecurityHeaders+HeaderKey.swift:5:16: note: found this candidate
    static let contentSecurityPolicy = HTTPHeaders.Name("Content-Security-Policy")
               ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Tests/VaporSecurityHeadersTests/HeaderTests.swift:513:55: error: ambiguous use of 'contentSecurityPolicy'
        XCTAssertEqual(expectedCsp, response.headers[.contentSecurityPolicy].first)
                                                      ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/.build/checkouts/vapor/Sources/Vapor/HTTP/Headers/HTTPHeaders+Name.swift:111:27: note: found this candidate
        public static let contentSecurityPolicy = Name("Content-Security-Policy")
                          ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Sources/VaporSecurityHeaders/SecurityHeaders+HeaderKey.swift:5:16: note: found this candidate
    static let contentSecurityPolicy = HTTPHeaders.Name("Content-Security-Policy")
               ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Tests/VaporSecurityHeadersTests/HeaderTests.swift:536:66: error: ambiguous use of 'contentSecurityPolicy'
        XCTAssertEqual(expectedCSPHeaderValue, response.headers[.contentSecurityPolicy].first)
                                                                 ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/.build/checkouts/vapor/Sources/Vapor/HTTP/Headers/HTTPHeaders+Name.swift:111:27: note: found this candidate
        public static let contentSecurityPolicy = Name("Content-Security-Policy")
                          ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Sources/VaporSecurityHeaders/SecurityHeaders+HeaderKey.swift:5:16: note: found this candidate
    static let contentSecurityPolicy = HTTPHeaders.Name("Content-Security-Policy")
               ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Tests/VaporSecurityHeadersTests/HeaderTests.swift:559:66: error: ambiguous use of 'contentSecurityPolicy'
        XCTAssertEqual(expectedCSPHeaderValue, response.headers[.contentSecurityPolicy].first)
                                                                 ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/.build/checkouts/vapor/Sources/Vapor/HTTP/Headers/HTTPHeaders+Name.swift:111:27: note: found this candidate
        public static let contentSecurityPolicy = Name("Content-Security-Policy")
                          ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Sources/VaporSecurityHeaders/SecurityHeaders+HeaderKey.swift:5:16: note: found this candidate
    static let contentSecurityPolicy = HTTPHeaders.Name("Content-Security-Policy")
               ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Tests/VaporSecurityHeadersTests/HeaderTests.swift:573:64: error: ambiguous use of 'contentSecurityPolicy'
        XCTAssertEqual("default-src 'none'", response.headers[.contentSecurityPolicy].first)
                                                               ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/.build/checkouts/vapor/Sources/Vapor/HTTP/Headers/HTTPHeaders+Name.swift:111:27: note: found this candidate
        public static let contentSecurityPolicy = Name("Content-Security-Policy")
                          ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Sources/VaporSecurityHeaders/SecurityHeaders+HeaderKey.swift:5:16: note: found this candidate
    static let contentSecurityPolicy = HTTPHeaders.Name("Content-Security-Policy")
               ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Tests/VaporSecurityHeadersTests/HeaderTests.swift:587:64: error: ambiguous use of 'contentSecurityPolicy'
        XCTAssertEqual("default-src 'none'", response.headers[.contentSecurityPolicy].first)
                                                               ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/.build/checkouts/vapor/Sources/Vapor/HTTP/Headers/HTTPHeaders+Name.swift:111:27: note: found this candidate
        public static let contentSecurityPolicy = Name("Content-Security-Policy")
                          ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Sources/VaporSecurityHeaders/SecurityHeaders+HeaderKey.swift:5:16: note: found this candidate
    static let contentSecurityPolicy = HTTPHeaders.Name("Content-Security-Policy")
               ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Tests/VaporSecurityHeadersTests/HeaderTests.swift:598:67: error: ambiguous use of 'xContentTypeOptions'
        XCTAssertEqual(expectedXCTOHeaderValue, response.headers[.xContentTypeOptions].first)
                                                                  ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/.build/checkouts/vapor/Sources/Vapor/HTTP/Headers/HTTPHeaders+Name.swift:335:27: note: found this candidate
        public static let xContentTypeOptions = Name("X-Content-Type-Options")
                          ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Sources/VaporSecurityHeaders/SecurityHeaders+HeaderKey.swift:7:16: note: found this candidate
    static let xContentTypeOptions = HTTPHeaders.Name("X-Content-Type-Options")
               ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Tests/VaporSecurityHeadersTests/HeaderTests.swift:599:66: error: ambiguous use of 'contentSecurityPolicy'
        XCTAssertEqual(expectedCSPHeaderValue, response.headers[.contentSecurityPolicy].first)
                                                                 ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/.build/checkouts/vapor/Sources/Vapor/HTTP/Headers/HTTPHeaders+Name.swift:111:27: note: found this candidate
        public static let contentSecurityPolicy = Name("Content-Security-Policy")
                          ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Sources/VaporSecurityHeaders/SecurityHeaders+HeaderKey.swift:5:16: note: found this candidate
    static let contentSecurityPolicy = HTTPHeaders.Name("Content-Security-Policy")
               ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Tests/VaporSecurityHeadersTests/HeaderTests.swift:612:67: error: ambiguous use of 'xContentTypeOptions'
        XCTAssertEqual(expectedXCTOHeaderValue, response.headers[.xContentTypeOptions].first)
                                                                  ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/.build/checkouts/vapor/Sources/Vapor/HTTP/Headers/HTTPHeaders+Name.swift:335:27: note: found this candidate
        public static let xContentTypeOptions = Name("X-Content-Type-Options")
                          ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Sources/VaporSecurityHeaders/SecurityHeaders+HeaderKey.swift:7:16: note: found this candidate
    static let xContentTypeOptions = HTTPHeaders.Name("X-Content-Type-Options")
               ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Tests/VaporSecurityHeadersTests/HeaderTests.swift:613:66: error: ambiguous use of 'contentSecurityPolicy'
        XCTAssertEqual(expectedCSPHeaderValue, response.headers[.contentSecurityPolicy].first)
                                                                 ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/.build/checkouts/vapor/Sources/Vapor/HTTP/Headers/HTTPHeaders+Name.swift:111:27: note: found this candidate
        public static let contentSecurityPolicy = Name("Content-Security-Policy")
                          ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Sources/VaporSecurityHeaders/SecurityHeaders+HeaderKey.swift:5:16: note: found this candidate
    static let contentSecurityPolicy = HTTPHeaders.Name("Content-Security-Policy")
               ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Tests/VaporSecurityHeadersTests/HeaderTests.swift:630:67: error: ambiguous use of 'xContentTypeOptions'
        XCTAssertEqual(expectedXCTOHeaderValue, response.headers[.xContentTypeOptions].first)
                                                                  ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/.build/checkouts/vapor/Sources/Vapor/HTTP/Headers/HTTPHeaders+Name.swift:335:27: note: found this candidate
        public static let xContentTypeOptions = Name("X-Content-Type-Options")
                          ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Sources/VaporSecurityHeaders/SecurityHeaders+HeaderKey.swift:7:16: note: found this candidate
    static let xContentTypeOptions = HTTPHeaders.Name("X-Content-Type-Options")
               ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Tests/VaporSecurityHeadersTests/HeaderTests.swift:631:66: error: ambiguous use of 'contentSecurityPolicy'
        XCTAssertEqual(expectedCSPHeaderValue, response.headers[.contentSecurityPolicy].first)
                                                                 ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/.build/checkouts/vapor/Sources/Vapor/HTTP/Headers/HTTPHeaders+Name.swift:111:27: note: found this candidate
        public static let contentSecurityPolicy = Name("Content-Security-Policy")
                          ^
/Users/evanevanhahnhahn/code/others/VaporSecurityHeaders/Sources/VaporSecurityHeaders/SecurityHeaders+HeaderKey.swift:5:16: note: found this candidate
    static let contentSecurityPolicy = HTTPHeaders.Name("Content-Security-Policy")

@0xTim
Copy link
Member

0xTim commented Apr 12, 2022

@EvanHahn looks like newer versions of the compiler were being more strict about duplicate symbols. I've pushed an update to fix all these and updated the branch to main if you want to pull from that. Thanks!

@EvanHahn
Copy link
Contributor Author

That solved it! Thank you.

@EvanHahn
Copy link
Contributor Author

I'll have a patch for this tomorrow.

EvanHahn added a commit to EvanHahn/VaporSecurityHeaders that referenced this issue Apr 13, 2022
@EvanHahn
Disable X-XSS-Protection filter, for safety
114ce16 
Surprisingly, [`X-XSS-Protection` is safer when disabled][0], and
browsers are dropping support for it as a result. Because it's less safe
to enable the filter, this change sets the default (and only) value to
`0`, instead of `1; mode=block`.

This is a breaking change.

See [issue brokenhandsio#25][1].

[0]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
[1]: brokenhandsio#25
@EvanHahn EvanHahn mentioned this issue Apr 13, 2022
Merged
@EvanHahn
Copy link
Contributor Author

Made a pull request (#26). Feedback welcome!

@0xTim 0xTim linked a pull request Apr 13, 2022 that will close this issue
Disable X-XSS-Protection filter, for safety #26
Merged
EvanHahn added a commit to EvanHahn/VaporSecurityHeaders that referenced this issue Apr 20, 2022
@EvanHahn
Disable X-XSS-Protection filter, for safety
2900d3e 
Surprisingly, [`X-XSS-Protection` is safer when disabled][0], and
browsers are dropping support for it as a result. Because it's less safe
to enable the filter, this change sets the default (and only) value to
`0`, instead of `1; mode=block`.

This is a breaking change.

See [issue brokenhandsio#25][1].

[0]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
[1]: brokenhandsio#25
@0xTim 0xTim closed this as completed in #26 Apr 20, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Disable X-XSS-Protection filter, for safety EvanHahn/VaporSecurityHeaders
2 participants
@EvanHahn @0xTim