As you know, Google Chrome Developers disabled XSS Auditor. Developers should be able to disable the auditor for older browsers and set it to 0.
The x-xss-protection header was found to have a multitude of issues, instead of helping the developers protect their application. (e.g. Bypass x-xss-protection header)
The following discussion describes the issue at hand with more references:
As you know, Google Chrome Developers disabled XSS Auditor. Developers should be able to disable the auditor for older browsers and set it to 0. The
x-xss-protection
header was found to have a multitude of issues, instead of helping the developers protect their application. (e.g. Bypassx-xss-protection
header)The following discussion describes the issue at hand with more references:
https://github.com/OWASP/CheatSheetSeries/issues/376 https://github.com/OWASP/CheatSheetSeries/pull/378
Available for further discussions 😄