Closed stanley101music closed 10 months ago
Hi!,
You're absolutely right: it's time for 'humble' to clearly warn that X-XSS-Protection is deprecated (it might make some sense in older browsers that don't support CSP, but ironically enabling this header -with values other than '0'- can introduce XSS vulnerabilities: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection).
Added new check in: https://github.com/rfc-st/humble/commit/1c3c3dc6b4680adefddbc4c0edbe040e179c2d56
I have also fixed the typo in the insecure.txt file.
Thank you!.
Best regards,
According to OWASP Secure Headers Project, the
X-XSS-Protection
header is deprecated.Although I didn't find a formal RFC or document saying it's deprecated, The caniuse shows that almost all modern browsers are not supporting this HTTP header, and MDN also mentioned that this is non-standard and recommends using
Content-Security-Policy
instead.Perhaps
X-XSS-Protection
should have the issue asDeprecated Header
in addition toUnsafe Value
andDuplicated Values
P.S. There might be a typo In
insecure.txt
, wherev
is lower case inContent-Security-Policy: Incorrect values
and others areValues