web: Remove deprecated X-XSS-Protection

digitalcircuit · digitalcircuit · commit f67fbc8919cf · 2022-01-27T23:12:40.000-05:00
Remove the X-XSS-Protection header. It's deprecated and can apparently cause security issues. See mastodon/mastodon#17289 And https://github.com/xsleaks/xsleaks/wiki/Links#annex-xss-filters-information-leaks
diff --git a/salt/files/server/web/common/nginx/includes/headers_common b/salt/files/server/web/common/nginx/includes/headers_common
@@ -19,8 +19,13 @@ add_header X-Frame-Options SAMEORIGIN always;
 # Enable Cross-Domain policies only from the server root
 add_header X-Permitted-Cross-Domain-Policies master-only always;
 
-# Enable XSS protection
-add_header X-XSS-Protection "1; mode=block" always;
+## Enable XSS protection
+#add_header X-XSS-Protection "1; mode=block" always;
+#
+# This is deprecated and can actually introduce security issues.
+#
+# See https://github.com/mastodon/mastodon/pull/17289
+# And https://github.com/xsleaks/xsleaks/wiki/Links#annex-xss-filters-information-leaks
 
 # Don't share referrer on downgrade, minimize it on different domains
 add_header Referrer-Policy "strict-origin-when-cross-origin" always;
