New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixed #30680 -- Removed obsolete system check for SECURE_BROWSER_XSS_FILTER setting. #11631
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, great work. We’d also want a change log note. Perhaps: “The security.W007 check has been removed. It recommended enabling the setting SECURE_BROWSER_XSS_FILTER which sets the X-Xss-Protection header. This is no longer recommended as a security standard as many browsers have removed their XSS filters. You may still want to set the header if you support older browser versions.”
I’m not sure about which browsers have or have not removed their XSS filters (auditors). It might be worth researching just to make a slightly more accurate changleig note.
One last thing is maybe the documentation for the setting needs adjusting too with a note about the XSS auditors going out of style.
@adamchainz I don't think that we need to mention this in the release notes, but agreed we can add sth to a setting description, maybe:
|
Should we add a information message to the checks framework that goes off when the settings variable is defined, to inform people that it changed / can be removed? |
Agree with @felixxm - if a site has it defined already it's not harming them and may be required by their own security policies. Probably we'll need the setting for another 5 years still... |
@uadnan Thanks! |
Removes security.W007 check as mentioned here https://code.djangoproject.com/ticket/30680