Closed mstuart closed 10 years ago
Ironically, I had left this out originally because it wasn't supported outside of IE. I just did a second look and it may also be in Chrome (although it's unclear).
I'm not a fan of iexss
for the naming though. Can you rename it to something like xssProtection
?
Sure no problem. Thanks!
Yeah it was a little unclear to me too. It looks like it was introduced many versions back, but no mentions of it since. I think I was heavily inspired by helmet's iexss
option :)
Ok, ready to merge now!
Looks like your refactoring PR #13 may cause a few more changes to be made here. Pull that in first and I can patch this commit up to match the new pattern.
I'm not totally up-to-date on MSFT blog posts from 2008, but should the header be configurable with the current hardcoded value as a sane default?
Looks like you can also set it to "0" (same thing as not including the header) or "1" which opts you into it in your intranet zone setting in Settings > Internet options. Our hardcoded default is the best option, but I'll update the PR so it's configurable.
@totherik Ok, made it configurable with a sane default. Ready to merge
You need to update the documentation too. It doesn't show that you can pass an optional argument to it.
Ah good catch. Adding that now
K! /cc @lmarkus
:+1:
If 0
is the same as no header, I'm not sure there's any benefit to including a param for it, but I guess it doesn't hurt. I'm good with this as well.
Mark, I'll merge it and then update it when I rebase my other PR. Thanks for the contribution!
Add support for X-XSS-Protection header.
Although it's only useful for older IE browsers (IE8), it's still an important feature. It's still used in the wild today. You see Twitter, Facebook, and Google have it. We will enable this by default.
MEOWWWW