django · felixxm · Aug 7, 2019 · Aug 5, 2019
diff --git a/django/core/checks/security/base.py b/django/core/checks/security/base.py
@@ -51,15 +51,6 @@
     id='security.W006',
 )
 
-W007 = Warning(
-    "Your SECURE_BROWSER_XSS_FILTER setting is not set to True, "
-    "so your pages will not be served with an "
-    "'X-XSS-Protection: 1; mode=block' header. "
-    "You should consider enabling this header to activate the "
-    "browser's XSS filtering and help prevent XSS attacks.",
-    id='security.W007',
-)
-
 W008 = Warning(
     "Your SECURE_SSL_REDIRECT setting is not set to True. "
     "Unless your site should be available over both SSL and non-SSL "
@@ -162,15 +153,6 @@ def check_content_type_nosniff(app_configs, **kwargs):
     return [] if passed_check else [W006]
 
 
-@register(Tags.security, deploy=True)
-def check_xss_filter(app_configs, **kwargs):
-    passed_check = (
-        not _security_middleware() or
-        settings.SECURE_BROWSER_XSS_FILTER is True
-    )
-    return [] if passed_check else [W007]
-
-
 @register(Tags.security, deploy=True)
 def check_ssl_redirect(app_configs, **kwargs):
     passed_check = (

diff --git a/docs/ref/checks.txt b/docs/ref/checks.txt
@@ -369,7 +369,8 @@ The following checks are run if you use the :option:`check --deploy` option:
   set to ``True``, so your pages will not be served with an
   ``'X-XSS-Protection: 1; mode=block'`` header. You should consider enabling
   this header to activate the browser's XSS filtering and help prevent XSS
-  attacks.
+  attacks. *This check is removed in Django 3.0 as the ``X-XSS-Protection``
+  header is no longer honored by modern browsers.*
 * **security.W008**: Your :setting:`SECURE_SSL_REDIRECT` setting is not set to
   ``True``. Unless your site should be available over both SSL and non-SSL
   connections, you may want to either set this setting to ``True`` or configure

diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt
@@ -2182,6 +2182,10 @@ Default: ``False``
 If ``True``, the :class:`~django.middleware.security.SecurityMiddleware` sets
 the :ref:`x-xss-protection` header on all responses that do not already have it.
 
+Modern browsers don't honor ``X-XSS-Protection`` HTTP header anymore. Although
+the setting offers little practical benefit, you may still want to set the
+header if you support older browsers.
+
 .. setting:: SECURE_CONTENT_TYPE_NOSNIFF
 
 ``SECURE_CONTENT_TYPE_NOSNIFF``

diff --git a/tests/check_framework/test_security.py b/tests/check_framework/test_security.py
@@ -402,38 +402,6 @@ def test_with_content_type_nosniff(self):
         self.assertEqual(self.func(None), [])
 
 
-class CheckXssFilterTest(SimpleTestCase):
-    @property
-    def func(self):
-        from django.core.checks.security.base import check_xss_filter
-        return check_xss_filter
-
-    @override_settings(
-        MIDDLEWARE=["django.middleware.security.SecurityMiddleware"],
-        SECURE_BROWSER_XSS_FILTER=False,
-    )
-    def test_no_xss_filter(self):
-        """
-        Warn if SECURE_BROWSER_XSS_FILTER isn't True.
-        """
-        self.assertEqual(self.func(None), [base.W007])
-
-    @override_settings(MIDDLEWARE=[], SECURE_BROWSER_XSS_FILTER=False)
-    def test_no_xss_filter_no_middleware(self):
-        """
-        Don't warn if SECURE_BROWSER_XSS_FILTER isn't True and
-        SecurityMiddleware isn't in MIDDLEWARE.
-        """
-        self.assertEqual(self.func(None), [])
-
-    @override_settings(
-        MIDDLEWARE=["django.middleware.security.SecurityMiddleware"],
-        SECURE_BROWSER_XSS_FILTER=True,
-    )
-    def test_with_xss_filter(self):
-        self.assertEqual(self.func(None), [])
-
-
 class CheckSSLRedirectTest(SimpleTestCase):
     @property
     def func(self):