X-XSS-Protection: 0 is recommended by Mozilla and Google

Question

X-XSS-Protection: 0 is recommended by Mozilla and Google

DavidOsipov opened this issue 3 years ago · 2 comments

Currently, Mozilla and Google do not recommend setting X-XSS-Protection to enabled state due to the fact that the XSS auditor can even create new XSS vulnerabilities in otherwise secure websites. X-XSS-Protection: 0 is preferred.

Answer 1 · 2022-06-17T17:40:33.000Z

I'm not sure what would be the best to do here:

Setting the X-XSS-Protection header to either 0 or 1; mode=block prevents vulnerabilities like the one described above

... while bringing back XSS vulnerability from having disabled XSS filtering. Then for best security, it would be sending 1; mode=block as they suggest.

These protections are largely unnecessary in modern browsers when sites implement a strong Content-Security-Policy that disables the use of inline JavaScript ('unsafe-inline').

Perhaps a better option would be sending X-XSS-Protection: 0 only if Content-Security-Policy is set in the response? (always sending either 0 or 1; mode=block doesn't seem like a great default).

Answer 2 · 2023-09-05T08:53:00.000Z

Dead weight issue - closing.