X-XSS-Protection health check is out of date

[JasonElkin]

Which Umbraco version are you using? (Please write the exact version, example: 10.1.0)

10.2.0

Bug summary

The X-XSS-Protection header is no longer recommended, and can itself represent a vunerability.

Specifics

See MDN: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection And also OWASP: https://owasp.org/www-project-secure-headers/

Steps to reproduce

Run the Cross-site scripting Protection (X-XSS-Protection header) health check.

It fails if the header is not found.

Expected result / actual result

The health check should probably fail if the header exists, or if the value is not 0 - which seems to be the preferred approach from OWASP.

Alternatively, the check could be removed altogether - which I think is what MDN implies.

---

_This item has been added to our backlog AB#24237_

[github-actions[bot]]

Hi there @JasonElkin!

Firstly, a big thank you for raising this issue. Every piece of feedback we receive helps us to make Umbraco better.

We really appreciate your patience while we wait for our team to have a look at this but we wanted to let you know that we see this and share with you the plan for what comes next.

• We'll assess whether this issue relates to something that has already been fixed in a later version of the release that it has been raised for.
• If it's a bug, is it related to a release that we are actively supporting or is it related to a release that's in the end-of-life or security-only phase?
• We'll replicate the issue to ensure that the problem is as described.
• We'll decide whether the behavior is an issue or if the behavior is intended.

We wish we could work with everyone directly and assess your issue immediately but we're in the fortunate position of having lots of contributions to work with and only a few humans who are able to do it. We are making progress though and in the meantime, we will keep you in the loop and let you know when we have any questions.

Thanks, from your friendly Umbraco GitHub bot :robot: :slightly_smiling_face:

[JasonElkin]

Haha, hi @lassefredslund I've just started looking at fixing this at the hackathon - updating the test to make sure that the header doesn't exist.

[lassefredslund]

That's just perfect @JasonElkin. Thank you so much. I'll remove it from the sprint-candidate list.

[Zeegaan]

Hey @JasonElkin What is the status on this 🤞

[JasonElkin]

Hey @Zeegaan,

Wow, has it really been 14 days 😳. I went down a bit of a rabbit hole with the base class and things got away from me.

Not likely to have time to get further with it until next week but happy if someone else wants to take a look before then.

[Zeegaan]

@JasonElkin All good, take your time 🙏 Just making sure its still active 😁

[AaronSadlerUK]

@nul800sebastiaan Submitted PR #13936 to resolve this

[tristanjthompson]

Thank you @AaronSadlerUK! I'm just pulling it down to test it now.

[tristanjthompson]

Tested in the PR - all passing ✅

[nul800sebastiaan]

~Fixed in https://github.com/umbraco/Umbraco-CMS/pull/13936~

[nul800sebastiaan]

We had to revert the PR for this unfortunately due to a breaking change, so this one is open again and still up for grabs. Sorry for the premature party here! 😅

[github-actions[bot]]

Hi @JasonElkin,

We're writing to let you know that we would love some help with this issue. We feel that this issue is ideal to flag for a community member to work on it. Once flagged here, folk looking for issues to work on will know to look at yours. Of course, please feel free work on this yourself ;-). If there are any changes to this status, we'll be sure to let you know.

For more information about issues and states, have a look at this blog post.

Thanks muchly, from your friendly Umbraco GitHub bot :-)

[miguelcrpinto]

Shouldn't this health check just be removed instead of returning pass whenever the header is not present?

[miguelcrpinto]

@nul800sebastiaan is this issue still relevant? I checked in a vanilla installation of V12.0.0 and the health check is displaying the following:

In any case, I'd suggest to just remove this health check

[anthonycodedynamo]

I'd echo the comment by @miguelcrpinto . This seems to be resolved now, unless you want to remove the check all together.

The revert at https://github.com/umbraco/Umbraco-CMS/commit/180fae342e9fdbe775f3ff13a2b6122b8c624e30) didn't reverse the commit, it modified the checked in code to prevent it being a breaking change by adding a new constructor.

No?!