diff --git a/django/core/checks/security/base.py b/django/core/checks/security/base.py index 2f8a0f11ee71f..d3daaa3cecaee 100644 --- a/django/core/checks/security/base.py +++ b/django/core/checks/security/base.py @@ -51,15 +51,6 @@ id='security.W006', ) -W007 = Warning( - "Your SECURE_BROWSER_XSS_FILTER setting is not set to True, " - "so your pages will not be served with an " - "'X-XSS-Protection: 1; mode=block' header. " - "You should consider enabling this header to activate the " - "browser's XSS filtering and help prevent XSS attacks.", - id='security.W007', -) - W008 = Warning( "Your SECURE_SSL_REDIRECT setting is not set to True. " "Unless your site should be available over both SSL and non-SSL " @@ -162,15 +153,6 @@ def check_content_type_nosniff(app_configs, **kwargs): return [] if passed_check else [W006] -@register(Tags.security, deploy=True) -def check_xss_filter(app_configs, **kwargs): - passed_check = ( - not _security_middleware() or - settings.SECURE_BROWSER_XSS_FILTER is True - ) - return [] if passed_check else [W007] - - @register(Tags.security, deploy=True) def check_ssl_redirect(app_configs, **kwargs): passed_check = ( diff --git a/docs/ref/checks.txt b/docs/ref/checks.txt index b1f9e085b4600..99f4e1d316c73 100644 --- a/docs/ref/checks.txt +++ b/docs/ref/checks.txt @@ -369,7 +369,8 @@ The following checks are run if you use the :option:`check --deploy` option: set to ``True``, so your pages will not be served with an ``'X-XSS-Protection: 1; mode=block'`` header. You should consider enabling this header to activate the browser's XSS filtering and help prevent XSS - attacks. + attacks. *This check is removed in Django 3.0 as the ``X-XSS-Protection`` + header is no longer honored by modern browsers.* * **security.W008**: Your :setting:`SECURE_SSL_REDIRECT` setting is not set to ``True``. Unless your site should be available over both SSL and non-SSL connections, you may want to either set this setting to ``True`` or configure diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt index 6aed2f862f139..1c845b0df1020 100644 --- a/docs/ref/settings.txt +++ b/docs/ref/settings.txt @@ -2182,6 +2182,10 @@ Default: ``False`` If ``True``, the :class:`~django.middleware.security.SecurityMiddleware` sets the :ref:`x-xss-protection` header on all responses that do not already have it. +Modern browsers don't honor ``X-XSS-Protection`` HTTP header anymore. Although +the setting offers little practical benefit, you may still want to set the +header if you support older browsers. + .. setting:: SECURE_CONTENT_TYPE_NOSNIFF ``SECURE_CONTENT_TYPE_NOSNIFF`` diff --git a/tests/check_framework/test_security.py b/tests/check_framework/test_security.py index e6fe1f6cb79ba..e6728606ef82d 100644 --- a/tests/check_framework/test_security.py +++ b/tests/check_framework/test_security.py @@ -402,38 +402,6 @@ def test_with_content_type_nosniff(self): self.assertEqual(self.func(None), []) -class CheckXssFilterTest(SimpleTestCase): - @property - def func(self): - from django.core.checks.security.base import check_xss_filter - return check_xss_filter - - @override_settings( - MIDDLEWARE=["django.middleware.security.SecurityMiddleware"], - SECURE_BROWSER_XSS_FILTER=False, - ) - def test_no_xss_filter(self): - """ - Warn if SECURE_BROWSER_XSS_FILTER isn't True. - """ - self.assertEqual(self.func(None), [base.W007]) - - @override_settings(MIDDLEWARE=[], SECURE_BROWSER_XSS_FILTER=False) - def test_no_xss_filter_no_middleware(self): - """ - Don't warn if SECURE_BROWSER_XSS_FILTER isn't True and - SecurityMiddleware isn't in MIDDLEWARE. - """ - self.assertEqual(self.func(None), []) - - @override_settings( - MIDDLEWARE=["django.middleware.security.SecurityMiddleware"], - SECURE_BROWSER_XSS_FILTER=True, - ) - def test_with_xss_filter(self): - self.assertEqual(self.func(None), []) - - class CheckSSLRedirectTest(SimpleTestCase): @property def func(self):