disable legacy XSS filtering#17289
Merged
Gargron merged 1 commit intomastodon:mainfrom Jan 24, 2022
Merged
Conversation
Browsers are phasing out X-XSS-Protection, but Safari and IE still support it.
ClearlyClaire
approved these changes
Jan 24, 2022
Contributor
ClearlyClaire
left a comment
ClearlyClaire
left a comment
There was a problem hiding this comment.
To be honest, I don't fully understand the various attacks making use of X-XSS-Protection, but considering there have been multiple classes of issues involving it, and it's considered deprecated, I think it's indeed safer to disable it.
Thanks for the contribution!
digitalcircuit
added a commit
to digitalcircuit/salt-box-quassel
that referenced
this pull request
Jan 28, 2022
Remove the X-XSS-Protection header. It's deprecated and can apparently cause security issues. See mastodon/mastodon#17289 And https://github.com/xsleaks/xsleaks/wiki/Links#annex-xss-filters-information-leaks
ClearlyClaire
pushed a commit
that referenced
this pull request
Feb 3, 2022
Browsers are phasing out X-XSS-Protection, but Safari and IE still support it.
ClearlyClaire
pushed a commit
that referenced
this pull request
Feb 3, 2022
Browsers are phasing out X-XSS-Protection, but Safari and IE still support it.
koba-lab
added a commit
to koba-lab/mastodon
that referenced
this pull request
Feb 8, 2022
* commit '637c7d464b2876765370d1143b7ba6441efb730b': (698 commits) Bump version to 3.3.2 Fix spurious errors when receiving an Add activity for a private post disable legacy XSS filtering (mastodon#17289) Change mastodon:webpush:generate_vapid_key task to not require functional env (mastodon#17338) Fix response_to_recipient? CTE Fix insufficient sanitization of report comments Fix compacted JSON-LD possibly causing compatibility issues on forwarding Compact JSON-LD signed incoming activities Fix error-prone SQL queries (mastodon#15828) Change docker-compose.yml to specifically tag v3.3.1 images Bump to version 3.3.1 Save bundle config as local (mastodon#17188) Add manual GitHub Actions runs (mastodon#17000) Change workflow to push to Docker Hub (mastodon#16980) Build container image by GitHub Actions (mastodon#16973) Add more advanced migration tests Fix edge case in migration helpers that caused crash because of PostgreSQL quirks (mastodon#17398) Fix some old migration scripts (mastodon#17394) Fix filtering DMs from non-followed users (mastodon#17042) Fix upload of remote media with OpenStack Swift sometimes failing (mastodon#16998) ... # Conflicts: # CHANGELOG.md # Gemfile.lock # app/controllers/auth/sessions_controller.rb # app/controllers/concerns/sign_in_token_authentication_concern.rb # app/controllers/concerns/signature_verification.rb # app/controllers/concerns/two_factor_authentication_concern.rb # app/javascript/mastodon/components/status_action_bar.js # app/javascript/mastodon/features/getting_started/index.js # app/javascript/mastodon/locales/ja.json # app/javascript/styles/mastodon/boost.scss # app/lib/activitypub/activity/announce.rb # app/lib/activitypub/activity/create.rb # app/lib/formatter.rb # app/lib/webfinger.rb # app/models/user.rb # app/services/fan_out_on_write_service.rb # app/services/resolve_account_service.rb # app/views/statuses/_detailed_status.html.haml # app/views/statuses/_simple_status.html.haml # chart/Chart.yaml # chart/values.yaml.template # db/migrate/20200620164023_add_fixed_lowercase_index_to_accounts.rb # lib/cli.rb # lib/mastodon/maintenance_cli.rb # lib/paperclip/response_with_limit_adapter.rb # package.json # spec/controllers/auth/sessions_controller_spec.rb # spec/services/resolve_account_service_spec.rb
koba-lab
added a commit
to koba-lab/mastodon
that referenced
this pull request
Feb 8, 2022
* stable-3.4: (666 commits) Fix insufficient sanitization of report comments (mastodon#17430) Bump version to 3.4.6 disable legacy XSS filtering (mastodon#17289) Change mastodon:webpush:generate_vapid_key task to not require functional env (mastodon#17338) Fix response_to_recipient? CTE Fix insufficient sanitization of report comments Fix compacted JSON-LD possibly causing compatibility issues on forwarding Compact JSON-LD signed incoming activities Fix error-prone SQL queries (mastodon#15828) Fix spurious errors when receiving an Add activity for a private post (mastodon#17425) Bump version to 3.4.5 Add more advanced migration tests (mastodon#17393) Fix followers synchronization mechanism not working when URI has empty path (mastodon#16510) Add manual GitHub Actions runs (mastodon#17000) Change workflow to push to Docker Hub (mastodon#16980) Build container image by GitHub Actions (mastodon#16973) Bump ruby-saml from 1.11.0 to 1.13.0 (mastodon#16723) Save bundle config as local (mastodon#17188) Fix edge case in migration helpers that caused crash because of PostgreSQL quirks (mastodon#17398) Fix some old migration scripts (mastodon#17394) ... # Conflicts: # .github/workflows/build-image.yml # CHANGELOG.md # Dockerfile # Gemfile.lock # app/lib/activitypub/activity/announce.rb # app/lib/activitypub/activity/create.rb # app/models/account.rb # chart/values.yaml # config/brakeman.ignore # config/environments/production.rb # config/locales/ja.yml # config/locales/simple_form.ja.yml # docker-compose.yml # lib/mastodon/maintenance_cli.rb # lib/mastodon/migration_helpers.rb # lib/mastodon/version.rb # lib/terrapin/multi_pipe_extensions.rb # yarn.lock
ClearlyClaire
referenced
this pull request
Feb 1, 2023
ktncode
pushed a commit
to ktncode/mastodon
that referenced
this pull request
Jun 4, 2025
Browsers are phasing out X-XSS-Protection, but Safari and IE still support it.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
X-XSS-Protectionis a legacy response header that was intended to prevent pages from loading when cross-site scripting attacks were detected by the browser-implemented auditor/filter. It was superseded by the much more modern CSP supported by all modern browsers.Browsers such as Chromium and Edge fully removed this legacy protection, which is also known to be easy to bypass and causing a multitude of issues in practice. Research has shown that block mode could be abused to exfiltrate information using a fake reflected XSS (known as XS-Leak attacks). I would be happy to elaborate if you think it deems necessary.
The ideal fix should be to set the value of the header to
0, thus effectively disabling filter/auditor in old browsers, but also Safari and IE which are still using it for some reason. Note however that even XSS-Auditor has been recently fully removed from Webkit so this change will come to Safari soon enough.In a few months/years it should be even safe to remove the header altogether, saving resources in the end as it would then be a totally useless header. Thanks for considering this PR. :)