Add rule(s) to check the usage of the `X-XSS-Protection` HTTP header

[alrra]

• [x] Check if the header is sent for non-HTML resources (e.g.: on images, fonts, etc.) - done in https://github.com/MicrosoftEdge/Sonar/commit/c55bdfb8f57b3d6a4b48bd1ed5caab25d6a20171.
• [ ] Check if the header value is 1; mode=block. (?)

---

See also:

• https://blog.innerht.ml/the-misunderstood-x-xss-protection/

[Malvoz]

While sending this header is still effective in older browsers, it may be considered deprecated:

• Chrome has an "Intent to Deprecate and Remove the XSS Auditor" removed their XSS auditor.
• Firefox have not, and will not implement X-XSS-Protection.
• Edge retired their XSS filter in 2018:

We are retiring the XSS filter in Microsoft Edge beginning in today’s build. Our customers remain protected thanks to modern standards like Content Security Policy, which provide more powerful, performant, and secure mechanisms to protect against content injection attacks, with high compatibility across modern browsers.

If a site is using CSP, without allowing unsafe-inline for scripts then X-XSS-Protection has very little value.

[Seirdy]

Safari has removed this header. However, Safari updates are tied to iOS updates (and to a lesser degree, macOS updates). For that reason, versions of Safari that include the XSS filter will still be in use for a few years.

OWASP recommends sending X-XSS-Protection: 0 because the XSS auditor ironically exposes vulnerabilities. See https://owasp.org/www-project-secure-headers/#div-headers