Bug 58735

Summary: Add support for X-XSS-Protection header
Product: Tomcat 9 Reporter: Jacopo Cappellato <jacopo.cappellato>
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED FIXED    
Severity: minor CC: hauser, vaysman
Priority: P2    
Version: 9.0.0.M1   
Target Milestone: -----   
Hardware: All   
OS: All   
Attachments: The patch that implements this feature.
Updated patch with filter's documentation

Description Jacopo Cappellato 2015-12-14 18:09:36 UTC 
Created attachment 33349 [details]
The patch that implements this feature.

The Tomcat's HttpHeaderSecurityFilter allows to set useful security related headers but it doesn't support the X-XSS-Protection header: https://www.owasp.org/index.php/List_of_useful_HTTP_headers

The attached patch enhance the filter to support this header.
Comment 1 Mark Thomas 2015-12-19 21:21:54 UTC 
Some documentation would be nice:
webapps/docs/config/filter.xml
Comment 2 Jacopo Cappellato 2015-12-28 08:59:01 UTC 
Created attachment 33379 [details]
Updated patch with filter's documentation
Comment 3 Mark Thomas 2016-01-01 18:16:29 UTC 
Patch applied to 9.0.x for 9.0.0.M2 onwards, 8.0.x for 8.0.31 onwards and 7.0.x for 7.0.68 onwards.

Thanks for the patch.
Comment 4 Ralf Hauser 2016-06-25 09:10:54 UTC 
see also Bug 59754