kevinhakanson.com

X-XSS-Protection is Dead, Long Live Content-Security-Policy

October 11, 2018 #http #webdev #security

In mid-July it was reported that XSS protection disappears from Microsoft Edge and Find out what’s new in Windows and Office in October confirms this happened.

Retired XSS Filter: We are retiring the XSS filter in Microsoft Edge beginning with the October 2018 Update. Our customers remain protected thanks to modern standards like Content Security Policy, which provide more powerful, performant and secure mechanisms to protect against content injection attacks, with high compatibility across modern browsers.

MDN Web Docs for X-XSS-Protection also refer to Content Security Policy (CSP) as the preferred solution

The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Although these protections are largely unnecessary in modern browsers when sites implement a strong Content-Security-Policy that disables the use of inline JavaScript ('unsafe-inline'), they can still provide protections for users of older web browsers that don’t yet support CSP.

Now go back to XSS protection disappears from Microsoft Edge and see their analysis.

“The XSS Filter is supposed to be on by default,” Heyes explained. “However, it is now off by default, and even if you try to turn it on with X-XSS-Protection: 1 it remains off.”

“The only way to actually turn it on now is when you have the header X-XSS-Protection: 1; mode=block.”

So, unless you are targeting IE11 (see https://caniuse.com/#feat=contentsecuritypolicy), it seems like it is time to embrace the Content-Security-Policy HTTP Header Braindump.


© 2020 Kevin Hakanson (built with Gatsby)