wntrblm · Jonakemon · Jul 25, 2023 · Jul 20, 2023 · Jul 20, 2023 · Jul 20, 2023
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -15,12 +15,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Code Repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
-      - name: Set up Python 3.9
-        uses: actions/setup-python@v2
+      - name: Set up Python 3.11
+        uses: actions/setup-python@v4
         with:
-          python-version: 3.9
+          python-version: 3.11
 
       - name: Install dependencies
         run: |
@@ -38,13 +38,13 @@ jobs:
 
     strategy:
       matrix:
-        python-version: [2.7, 3.5, 3.6, 3.7, 3.8, 3.9]
+        python-version: ["3.7", "3.8", "3.9", "3.10", "3.11"]
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
 
     - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v2
+      uses: actions/setup-python@v4
       with:
         python-version: ${{ matrix.python-version }}
 

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -9,8 +9,8 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v2
-    - uses: actions/setup-python@v2
+    - uses: actions/checkout@v3
+    - uses: actions/setup-python@v4
     - name: Install dependencies
       run: |
         python -m pip install --upgrade pip

diff --git a/README.rst b/README.rst
@@ -23,10 +23,6 @@ The default configuration:
    `X-Frame-Options <https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options>`_
    to ``SAMEORIGIN`` to avoid
    `clickjacking <https://en.wikipedia.org/wiki/Clickjacking>`_.
--  Sets `X-XSS-Protection
-   <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection>`_
-   to enable a cross site scripting filter for IE and Safari (note Chrome has
-   removed this and Firefox never supported it).
 -  Sets `X-Content-Type-Options
    <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options>`_
    to prevent content type sniffing.
@@ -130,7 +126,7 @@ Options
    directly and only save them instead.
 
 -  ``x_content_type_options``, default ``True``, Protects against MIME sniffing vulnerabilities (`about Content Type Options <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options>`_).
--  ``x_xss_protection``, default ``True``, Protects against cross-site scripting (XSS) attacks (`about XSS Protection <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection>`_).
+-  ``x_xss_protection``, default ``False``, Protects against cross-site scripting (XSS) attacks (`about XSS Protection <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection>`_).
 
 For a full list of (security) headers, check out: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers.
 

diff --git a/flask_talisman/talisman.py b/flask_talisman/talisman.py
@@ -90,7 +90,7 @@ def init_app(
             session_cookie_http_only=True,
             session_cookie_samesite=DEFAULT_SESSION_COOKIE_SAMESITE,
             x_content_type_options=True,
-            x_xss_protection=True):
+            x_xss_protection=False):
         """
         Initialization.
 

diff --git a/flask_talisman/talisman_test.py b/flask_talisman/talisman_test.py
@@ -51,7 +51,6 @@ def testDefaults(self):
             'X-Frame-Options': 'SAMEORIGIN',
             'Strict-Transport-Security':
             'max-age=31556926; includeSubDomains',
-            'X-XSS-Protection': '1; mode=block',
             'X-Content-Type-Options': 'nosniff',
             'Referrer-Policy': 'strict-origin-when-cross-origin'
         }
@@ -85,6 +84,14 @@ def testForceSslOptionOptions(self):
         response = self.client.get('/')
         self.assertEqual(response.status_code, 200)
 
+    def testForceXSSProtectionOptions(self):
+        self.talisman.x_xss_protection = True
+
+        # HTTP request from Proxy
+        response = self.client.get('/')
+        self.assertIn('X-XSS-Protection', response.headers)
+        self.assertEqual(response.headers['X-XSS-Protection'], '1; mode=block')
+
     def testHstsOptions(self):
         self.talisman.force_ssl = False
 

diff --git a/noxfile.py b/noxfile.py
@@ -1,7 +1,7 @@
 import nox
 
 
-@nox.session(python='3.9')
+@nox.session(python='3.11')
 def lint(session):
     session.install('docutils', 'pygments', 'flake8', 'flake8-import-order')
     session.install('-e', '.')
@@ -12,7 +12,7 @@ def lint(session):
     session.run('flake8', '--import-order-style=google', 'flask_talisman')
 
 
-@nox.session(python=['3.4', '3.5', '3.6', '3.7', '3.8', '3.9'])
+@nox.session(python=['3.7', '3.8', '3.9', '3.10', '3.11'])
 def tests(session):
     """Run the test suite"""
     session.install('flask', 'mock', 'pytest', 'pytest-cov')