Drop XSS auditor

It's deprecated, removed in some, by all modern browsers and is known
to create XSS vulnerabilities in itself.

Signed-off-by: r3g_5z <june@terezi.dev>

diff --git a/docs/docs/configuration/hardening.md b/docs/docs/configuration/hardening.md
index 182a54422b3bdfc532f3f3ca770cbac39a39a0bc..3011812fc8d5f244f6242e0c967a0e12312f8dff 100644 (file)
--- a/docs/docs/configuration/hardening.md
+++ b/docs/docs/configuration/hardening.md
@@ -23,7 +23,7 @@ This sets the `secure` flag on Akkoma’s session cookie. This makes sure, that
 
 This will send additional HTTP security headers to the clients, including:
 
-* `X-XSS-Protection: "1; mode=block"`
+* `X-XSS-Protection: "0"`
 * `X-Permitted-Cross-Domain-Policies: "none"`
 * `X-Frame-Options: "DENY"`
 * `X-Content-Type-Options: "nosniff"`

diff --git a/docs/docs/configuration/i2p.md b/docs/docs/configuration/i2p.md
index fecf66a8441d46486b7d43e3afa8663d19bfb18f..981593366abdd56fa522c0f2105c99a578bc417e 100644 (file)
--- a/docs/docs/configuration/i2p.md
+++ b/docs/docs/configuration/i2p.md
@@ -155,7 +155,7 @@ server {
 
     location / {
 
-        add_header X-XSS-Protection "1; mode=block";
+        add_header X-XSS-Protection "0";
         add_header X-Permitted-Cross-Domain-Policies none;
         add_header X-Frame-Options DENY;
         add_header X-Content-Type-Options nosniff;

diff --git a/docs/docs/configuration/onion_federation.md b/docs/docs/configuration/onion_federation.md
index 499b4a693dc57d0cc8a8b9ed45c3d1b2ba5bfb5c..9fc1cef062a57183b559fd175886a1f927646158 100644 (file)
--- a/docs/docs/configuration/onion_federation.md
+++ b/docs/docs/configuration/onion_federation.md
@@ -99,7 +99,7 @@ server {
 
     location / {
 
-        add_header X-XSS-Protection "1; mode=block";
+        add_header X-XSS-Protection "0";
         add_header X-Permitted-Cross-Domain-Policies none;
         add_header X-Frame-Options DENY;
         add_header X-Content-Type-Options nosniff;

diff --git a/docs/docs/installation/openbsd_en.md b/docs/docs/installation/openbsd_en.md
index 581942f9902238edf05afd215f70f4e9a9f724b7..2b163df6dfdcc5f88ba2fa860a79ff46d1b54659 100644 (file)
--- a/docs/docs/installation/openbsd_en.md
+++ b/docs/docs/installation/openbsd_en.md
@@ -160,7 +160,7 @@ http protocol plerup { # Protocol for upstream akkoma server
        match request header append "X-Forwarded-For" value "$REMOTE_ADDR" # This two header and the next one are not strictly required by akkoma but adding them won't hurt
        match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
 
-       match response header append "X-XSS-Protection" value "1; mode=block"
+       match response header append "X-XSS-Protection" value "0"
        match response header append "X-Permitted-Cross-Domain-Policies" value "none"
        match response header append "X-Frame-Options" value "DENY"
        match response header append "X-Content-Type-Options" value "nosniff"

diff --git a/lib/pleroma/web/plugs/http_security_plug.ex b/lib/pleroma/web/plugs/http_security_plug.ex
index fc2f7b268926a7b676d6108af5171f5af3027c2f..5f36b77d166f217068db5d654ffd175d5dc53e94 100644 (file)
--- a/lib/pleroma/web/plugs/http_security_plug.ex
+++ b/lib/pleroma/web/plugs/http_security_plug.ex
@@ -42,7 +42,7 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlug do
     custom_http_frontend_headers = custom_http_frontend_headers()
 
     headers = [
-      {"x-xss-protection", "1; mode=block"},
+      {"x-xss-protection", "0"},
       {"x-permitted-cross-domain-policies", "none"},
       {"x-frame-options", "DENY"},
       {"x-content-type-options", "nosniff"},