From 93c9d43497fed161c428933602f8112fce43733b Mon Sep 17 00:00:00 2001 From: jvoisin Date: Sun, 24 Mar 2024 21:15:10 +0100 Subject: [PATCH] http/response: get rid of the X-XSS-Protection header It's useless at best, dangerous at worst, and shouldn't be used anymore anywhere. See the following resources for details: - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection - https://chromestatus.com/feature/5021976655560704 - https://bugzilla.mozilla.org/show_bug.cgi?id=528661 - https://blogs.windows.com/windows-insider/2018/07/25/announcing-windows-10-insider-preview-build-17723-and-build-18204/ --- internal/http/response/builder.go | 1 - internal/http/response/builder_test.go | 1 - 2 files changed, 2 deletions(-) diff --git a/internal/http/response/builder.go b/internal/http/response/builder.go index 97c86fce..caf48d0b 100644 --- a/internal/http/response/builder.go +++ b/internal/http/response/builder.go @@ -96,7 +96,6 @@ func (b *Builder) Write() { } func (b *Builder) writeHeaders() { - b.headers["X-XSS-Protection"] = "1; mode=block" b.headers["X-Content-Type-Options"] = "nosniff" b.headers["X-Frame-Options"] = "DENY" b.headers["Referrer-Policy"] = "no-referrer" diff --git a/internal/http/response/builder_test.go b/internal/http/response/builder_test.go index 7b4d73ef..ccc29c8c 100644 --- a/internal/http/response/builder_test.go +++ b/internal/http/response/builder_test.go @@ -28,7 +28,6 @@ func TestResponseHasCommonHeaders(t *testing.T) { resp := w.Result() headers := map[string]string{ - "X-XSS-Protection": "1; mode=block", "X-Content-Type-Options": "nosniff", "X-Frame-Options": "DENY", }