disable legacy XSS filtering (mastodon#17289)

Wonderfall · lirixia · commit 8f1d938ac067 · 2025-06-04T18:32:37.000+09:00
Browsers are phasing out X-XSS-Protection, but Safari and IE still support it.
diff --git a/config/environments/production.rb b/config/environments/production.rb
@@ -134,7 +134,7 @@
     'Server'                 => 'Mastodon',
     'X-Frame-Options'        => 'DENY',
     'X-Content-Type-Options' => 'nosniff',
-    'X-XSS-Protection'       => '1; mode=block',
+    'X-XSS-Protection'       => '0',
     'Permissions-Policy'     => 'interest-cohort=()',
   }
 

Original file line number	Diff line number	Diff line change
`@@ -134,7 +134,7 @@`
`134`	`134`	`'Server' => 'Mastodon',`
`135`	`135`	`'X-Frame-Options' => 'DENY',`
`136`	`136`	`'X-Content-Type-Options' => 'nosniff',`
`137`		`- 'X-XSS-Protection' => '1; mode=block',`
	`137`	`+ 'X-XSS-Protection' => '0',`
`138`	`138`	`'Permissions-Policy' => 'interest-cohort=()',`
`139`	`139`	`}`
`140`	`140`