Bug 58735 - Add support for X-XSS-Protection header
Summary: Add support for X-XSS-Protection header
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 9
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 9.0.0.M1
Hardware: All All
: P2 minor (vote)
Target Milestone: -----
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-12-14 18:09 UTC by Jacopo Cappellato
Modified: 2016-06-25 09:10 UTC (History)
2 users (show)



Attachments
The patch that implements this feature. (1.75 KB, patch)
2015-12-14 18:09 UTC, Jacopo Cappellato
Details | Diff
Updated patch with filter's documentation (2.50 KB, patch)
2015-12-28 08:59 UTC, Jacopo Cappellato
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jacopo Cappellato 2015-12-14 18:09:36 UTC
Created attachment 33349 [details]
The patch that implements this feature.

The Tomcat's HttpHeaderSecurityFilter allows to set useful security related headers but it doesn't support the X-XSS-Protection header: https://www.owasp.org/index.php/List_of_useful_HTTP_headers

The attached patch enhance the filter to support this header.
Comment 1 Mark Thomas 2015-12-19 21:21:54 UTC
Some documentation would be nice:
webapps/docs/config/filter.xml
Comment 2 Jacopo Cappellato 2015-12-28 08:59:01 UTC
Created attachment 33379 [details]
Updated patch with filter's documentation
Comment 3 Mark Thomas 2016-01-01 18:16:29 UTC
Patch applied to 9.0.x for 9.0.0.M2 onwards, 8.0.x for 8.0.31 onwards and 7.0.x for 7.0.68 onwards.

Thanks for the patch.
Comment 4 Ralf Hauser 2016-06-25 09:10:54 UTC
see also Bug 59754