This repository has been archived by the owner on Nov 4, 2024. It is now read-only.
Alter scoring for X-XSS-Protection or remove #254
Assignees
Comments
|
I came here to file this issue, found it already existed! It seems to me that penalizing |
lgarron
added a commit
to lgarron/http-observatory
that referenced
this issue
Nov 17, 2022
This addresses mozilla/http-observatory-website#254 To quote https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection : > Warning: Even though this feature can protect users of older web browsers that don't yet support CSP, in some cases, XSS protection can create XSS vulnerabilities in otherwise safe websites. See the section below for more information. The cited "section below" provides a concrete example of how the XSS filter can be harmful: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection#vulnerabilities_caused_by_xss_filtering This PR is a very simple strawperson. It might be worth doing one of the following instead: - Recognizing possible header values without giving them a score. - Recognizing certain header values as reasonable, such as `block`. - Not grading the header, but putting some sort of notice if the header was observed, e.g. "The Mozilla TLS Observatory used to grade the `X-XSS-Protection` header, but this is no longer the case. For details, see: [link here]"
lgarron
added a commit
to lgarron/http-observatory
that referenced
this issue
Nov 17, 2022
This addresses mozilla/http-observatory-website#254 To quote https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection : > Warning: Even though this feature can protect users of older web browsers that don't yet support CSP, in some cases, XSS protection can create XSS vulnerabilities in otherwise safe websites. See the section below for more information. The cited "section below" provides a concrete example of how the XSS filter can be harmful: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection#vulnerabilities_caused_by_xss_filtering This PR is a very simple strawperson. It might be worth doing one of the following instead: - Recognizing possible header values without giving them a score. - Recognizing certain header values as reasonable, such as `block`. - Not grading the header, but putting some sort of notice if the header was observed, e.g. "The Mozilla TLS Observatory used to grade the `X-XSS-Protection` header, but this is no longer the case. For details, see: [link here]"
lgarron
added a commit
to lgarron/http-observatory
that referenced
this issue
Nov 17, 2022
This addresses mozilla/http-observatory-website#254 To quote https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection : > ## Warning: > > Even though this feature can protect users of older web browsers that > don't yet support CSP, in some cases, XSS protection can create XSS > vulnerabilities in otherwise safe websites. See the section below for > more information. > > ## Note: > > - Chrome has removed their XSS Auditor > - Firefox has not, and will not implement X-XSS-Protection > - Edge has retired their XSS filter The cited "section below" provides a concrete example of how the XSS filter can be harmful: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection#vulnerabilities_caused_by_xss_filtering This PR is a very simple strawperson. It might be worth doing one of the following instead: - Recognizing possible header values without giving them a score. - Recognizing certain header values as reasonable, such as `block`. - Not grading the header, but putting some sort of notice if the header was observed, e.g. "The Mozilla TLS Observatory used to grade the `X-XSS-Protection` header, but this is no longer the case. For details, see: [link here]"
lgarron
added a commit
to lgarron/http-observatory
that referenced
this issue
Nov 17, 2022
This addresses mozilla/http-observatory-website#254 To quote https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection : > ### Warning: > > Even though this feature can protect users of older web browsers that > don't yet support CSP, in some cases, XSS protection can create XSS > vulnerabilities in otherwise safe websites. See the section below for > more information. > > ### Note: > > - Chrome has removed their XSS Auditor > - Firefox has not, and will not implement X-XSS-Protection > - Edge has retired their XSS filter The cited "section below" provides a concrete example of how the XSS filter can be harmful: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection#vulnerabilities_caused_by_xss_filtering This PR is a very simple strawperson. It might be worth doing one of the following instead: - Recognizing possible header values without giving them a score. - Recognizing certain header values as reasonable, such as `block`. - Not grading the header, but putting some sort of notice if the header was observed, e.g. "The Mozilla TLS Observatory used to grade the `X-XSS-Protection` header, but this is no longer the case. For details, see: [link here]"
|
As above - wanted to recognize the difference between the MDN Guidelines and the scoring being applied for an outdated, unsupported header. Agree this should be removed per the requests above. |
|
This should be already fixed since mozilla/http-observatory#520 — instead of completely removing the tests it now assigns ±0 for all the rules (and -5 only for malformed headers) — if there's still any scoring penalty for you then please report the URL to verify. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
X-XSS-Protection has been deprecated - partially due to the rise of CSP, and partially because it can actually increase vulnerability ("XS-Leak" attacks).
References:
The text was updated successfully, but these errors were encountered: