From 27d4b713f6281e531d9622de09373adf7170384b Mon Sep 17 00:00:00 2001 From: Wonderfall Date: Mon, 21 Mar 2022 06:30:37 +0100 Subject: [PATCH] disable legacy X-XSS-Protection feature Obsolete in every modern browser, unsafe, and replaced by CSP --- src/util.rs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/util.rs b/src/util.rs index de61a354..d984dae0 100644 --- a/src/util.rs +++ b/src/util.rs @@ -32,7 +32,8 @@ impl Fairing for AppHeaders { res.set_raw_header("Referrer-Policy", "same-origin"); res.set_raw_header("X-Frame-Options", "SAMEORIGIN"); res.set_raw_header("X-Content-Type-Options", "nosniff"); - res.set_raw_header("X-XSS-Protection", "1; mode=block"); + // Obsolete in modern browsers, unsafe (XS-Leak), and largely replaced by CSP + res.set_raw_header("X-XSS-Protection", "0"); let csp = format!( // Chrome Web Store: https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb // Edge Add-ons: https://microsoftedge.microsoft.com/addons/detail/bitwarden-free-password/jbkfoedolllekgbhcbcoahefnbanhhlh?hl=en-US