From: r3g_5z Date: Sun, 20 Nov 2022 01:40:20 +0000 (-0500) Subject: Drop XSS auditor X-Git-Url: https://git.squeep.com/?a=commitdiff_plain;h=f90552f62e7a7b3414e57387f97741b9b253d0e1;p=akkoma Drop XSS auditor It's deprecated, removed in some, by all modern browsers and is known to create XSS vulnerabilities in itself. Signed-off-by: r3g_5z --- diff --git a/docs/docs/configuration/hardening.md b/docs/docs/configuration/hardening.md index 182a54422..3011812fc 100644 --- a/docs/docs/configuration/hardening.md +++ b/docs/docs/configuration/hardening.md @@ -23,7 +23,7 @@ This sets the `secure` flag on Akkoma’s session cookie. This makes sure, that This will send additional HTTP security headers to the clients, including: -* `X-XSS-Protection: "1; mode=block"` +* `X-XSS-Protection: "0"` * `X-Permitted-Cross-Domain-Policies: "none"` * `X-Frame-Options: "DENY"` * `X-Content-Type-Options: "nosniff"` diff --git a/docs/docs/configuration/i2p.md b/docs/docs/configuration/i2p.md index fecf66a84..981593366 100644 --- a/docs/docs/configuration/i2p.md +++ b/docs/docs/configuration/i2p.md @@ -155,7 +155,7 @@ server { location / { - add_header X-XSS-Protection "1; mode=block"; + add_header X-XSS-Protection "0"; add_header X-Permitted-Cross-Domain-Policies none; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; diff --git a/docs/docs/configuration/onion_federation.md b/docs/docs/configuration/onion_federation.md index 499b4a693..9fc1cef06 100644 --- a/docs/docs/configuration/onion_federation.md +++ b/docs/docs/configuration/onion_federation.md @@ -99,7 +99,7 @@ server { location / { - add_header X-XSS-Protection "1; mode=block"; + add_header X-XSS-Protection "0"; add_header X-Permitted-Cross-Domain-Policies none; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; diff --git a/docs/docs/installation/openbsd_en.md b/docs/docs/installation/openbsd_en.md index 581942f99..2b163df6d 100644 --- a/docs/docs/installation/openbsd_en.md +++ b/docs/docs/installation/openbsd_en.md @@ -160,7 +160,7 @@ http protocol plerup { # Protocol for upstream akkoma server match request header append "X-Forwarded-For" value "$REMOTE_ADDR" # This two header and the next one are not strictly required by akkoma but adding them won't hurt match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT" - match response header append "X-XSS-Protection" value "1; mode=block" + match response header append "X-XSS-Protection" value "0" match response header append "X-Permitted-Cross-Domain-Policies" value "none" match response header append "X-Frame-Options" value "DENY" match response header append "X-Content-Type-Options" value "nosniff" diff --git a/lib/pleroma/web/plugs/http_security_plug.ex b/lib/pleroma/web/plugs/http_security_plug.ex index fc2f7b268..5f36b77d1 100644 --- a/lib/pleroma/web/plugs/http_security_plug.ex +++ b/lib/pleroma/web/plugs/http_security_plug.ex @@ -42,7 +42,7 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlug do custom_http_frontend_headers = custom_http_frontend_headers() headers = [ - {"x-xss-protection", "1; mode=block"}, + {"x-xss-protection", "0"}, {"x-permitted-cross-domain-policies", "none"}, {"x-frame-options", "DENY"}, {"x-content-type-options", "nosniff"},