Closed ChunxiAlexLuo closed 2 years ago
sonarcloud[bot]
commented
2 years ago Kudos, SonarCloud Quality Gate passed! 
0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells
No Coverage information
No Duplication information
pshickeydev
commented
2 years ago @ChunxiAlexLuo while the CSP is good, the X-XSS-Protection (even if largely deprecated) I expect will be a problem for the customer. The CSP may prevent XSS, but the Protection header certainly shouldn't be set to disabled.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
I'm also not an owner so my approval will not trigger any merge.
ChunxiAlexLuo
commented
2 years ago @ChunxiAlexLuo while the CSP is good, the
X-XSS-Protection(even if largely deprecated) I expect will be a problem for the customer. The CSP may prevent XSS, but the Protection header certainly shouldn't be set to disabled. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-ProtectionI'm also not an owner so my approval will not trigger any merge.
I also noticed this before this PR and found the helmet default disable X-XSS-Protection, if you think there is a need I can try to enable it in the helmet. https://github.com/helmetjs/helmet/issues/230
Just let you review and if you think it is LGTM then @dhaiducek or @JustinKuli can approve it
pshickeydev
commented
2 years ago Checking the triage doc it looks like X-XSS-Protection was not a header they were concerned with.
/lgtm
openshift-ci[bot]
commented
2 years ago [APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: ChunxiAlexLuo, dhaiducek, pshickeydev
The full list of commands accepted by this bot can be found here.
The pull request process is described here
pshickeydev
commented
2 years ago Determined in https://github.com/stolostron/backlog/issues/23853#issuecomment-1198611555 that this PR does not address issue #23853
Refs:
Signed-off-by: Chunxi Luo chuluo@redhat.com