Fixed #30680 -- Removed obsolete system check for SECURE_BROWSER_XSS_FILTER setting.

[uadnan]

Removes security.W007 check as mentioned here https://code.djangoproject.com/ticket/30680

[adamchainz]

Thanks, great work. We’d also want a change log note. Perhaps: “The security.W007 check has been removed. It recommended enabling the setting SECURE_BROWSER_XSS_FILTER which sets the X-Xss-Protection header. This is no longer recommended as a security standard as many browsers have removed their XSS filters. You may still want to set the header if you support older browser versions.”

I’m not sure about which browsers have or have not removed their XSS filters (auditors). It might be worth researching just to make a slightly more accurate changleig note.

One last thing is maybe the documentation for the setting needs adjusting too with a note about the XSS auditors going out of style.

[felixxm]

@adamchainz I don't think that we need to mention this in the release notes, but agreed we can add sth to a setting description, maybe:

Modern browsers don't honor ``X-XSS-Protection`` HTTP header anymore. Although
the setting offers little practical benefit, however you may still want to set
the header if you support older browsers.

[uadnan]

I agree with @felixxm. Thanks @felixxm for changes

[MarkusH]

Should we add a information message to the checks framework that goes off when the settings variable is defined, to inform people that it changed / can be removed?

[felixxm]

@MarkusH I don't think so, we removed security checks in the past without such steps (e.g. c27104a). Everyone should decide on their own we just do not recommend this anymore as a part of increasing security.

[adamchainz]

Agree with @felixxm - if a site has it defined already it's not harming them and may be required by their own security policies. Probably we'll need the setting for another 5 years still...

[felixxm]

@uadnan Thanks!