Bug 66622 - Enabling httpHeaderSecurity includes X-XSS-Protection the protection header which goes against Mozilla recommendations
Summary: Enabling httpHeaderSecurity includes X-XSS-Protection the protection header w...
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 8
Classification: Unclassified
Component: Connectors (show other bugs)
Version: 8.5.x-trunk
Hardware: All All
: P2 enhancement (vote)
Target Milestone: ----
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-05-31 13:34 UTC by Jonathan Schulze-Hewett
Modified: 2023-05-31 17:28 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jonathan Schulze-Hewett 2023-05-31 13:34:23 UTC
In https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection Mozilla states that no web facing server should send the X-XSS-Protection header, but when enabling the httpHeaderSecurity filter X-XSS-Protection is one of the headers added. It would be better to exclude it.
Comment 1 Mark Thomas 2023-05-31 17:13:56 UTC
Given the status and history of that feature I intend to do the following:

- change the default for xssProtectionEnabled to false
- deprecate the feature in 8.5.x to 10.1.x
- remove the feature in 11.0.x
Comment 2 Mark Thomas 2023-05-31 17:28:45 UTC
Fixed in:
- 11.0.x for 11.0.0-M7 onwards
- 10.1.x for 10.1.10 onwards
-  9.0.x for  9.0.76 onwards
-  8.5.x for  8.5.90 onwards