Alter scoring for X-XSS-Protection or remove

[roycewilliams]

X-XSS-Protection has been deprecated - partially due to the rise of CSP, and partially because it can actually increase vulnerability ("XS-Leak" attacks).

References:

• https://owasp.org/www-project-secure-headers/#x-xss-protection
• https://portswigger.net/daily-swig/new-xs-leak-techniques-reveal-fresh-ways-to-expose-user-information
• https://portswigger.net/daily-swig/google-deprecates-xss-auditor-for-chrome
• https://github.com/mozilla/http-observatory/issues/432

[lgarron]

I came here to file this issue, found it already existed! It seems to me that penalizing X-XSS-Protection: 0 (or just leaving off the header) is pretty out of date as a security recommendation at this point.

[ajsimplycast]

As above - wanted to recognize the difference between the MDN Guidelines and the scoring being applied for an outdated, unsupported header. Agree this should be removed per the requests above.

[janbrasna]

This should be already fixed since https://github.com/mozilla/http-observatory/pull/520 — instead of completely removing the tests it now assigns ±0 for all the rules (and -5 only for malformed headers) — if there's still any scoring penalty for you then please report the URL to verify.