Comments (2)
While sending this header is still effective in older browsers, it may be considered deprecated:
- Chrome has
an "Intent to Deprecate and Remove the XSS Auditor"removed their XSS auditor. - Firefox have not, and will not implement
X-XSS-Protection
. - Edge retired their XSS filter in 2018:
We are retiring the XSS filter in Microsoft Edge beginning in today’s build. Our customers remain protected thanks to modern standards like Content Security Policy, which provide more powerful, performant, and secure mechanisms to protect against content injection attacks, with high compatibility across modern browsers.
If a site is using CSP, without allowing unsafe-inline
for scripts then X-XSS-Protection
has very little value.
from hint.
Safari has removed this header. However, Safari updates are tied to iOS updates (and to a lesser degree, macOS updates). For that reason, versions of Safari that include the XSS filter will still be in use for a few years.
OWASP recommends sending X-XSS-Protection: 0
because the XSS auditor ironically exposes vulnerabilities. See https://owasp.org/www-project-secure-headers/#div-headers
from hint.
Related Issues (20)
- [Bug] Describe your bug here
- [Bug] text-underline-offset is not supported in Firefox for Android.. but it is? HOT 1
- [Bug] Webhint does not seem to work when used in a Nuxt project.
- [Bug] Bug description
- [Bug] Throws exception when used in development mode in a git worktree
- [Bug] Bug description HOT 2
- Router
- [Bug] ''A form field element should have an id or name attribute'' should not display for `type="search"` inputs
- [Feature] Verify extension in Visual Studio Marketplace
- [Bug] Reenable Broken link found (404 response). HOT 1
- [Bug] Reenable lint-markdown-validator as a scheduled pipeline
- Console HOT 1
- cachae control missing Error
- [Feature] Update MDN compat data - it's 2 years old HOT 2
- [Bug] Bug description
- [Bug] axe-core reports "same id ...for control" even though they are isolated by a shadow-root HOT 1
- [Bug] Describe your bug here HOT 1
- [VSCode extension] how to see all hint issues in my project without opening all files?
- [Bug] Describe your bug here
- [Bug] No browser detected even if two installed & working
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from hint.