From: r3g_5z <june@terezi.dev>
Date: Sun, 20 Nov 2022 01:40:20 +0000 (-0500)
Subject: Drop XSS auditor
X-Git-Url: https://git.squeep.com/?a=commitdiff_plain;h=f90552f62e7a7b3414e57387f97741b9b253d0e1;p=akkoma

Drop XSS auditor

It's deprecated, removed in some, by all modern browsers and is known
to create XSS vulnerabilities in itself.

Signed-off-by: r3g_5z <june@terezi.dev>
---

diff --git a/docs/docs/configuration/hardening.md b/docs/docs/configuration/hardening.md
index 182a54422..3011812fc 100644
--- a/docs/docs/configuration/hardening.md
+++ b/docs/docs/configuration/hardening.md
@@ -23,7 +23,7 @@ This sets the `secure` flag on Akkoma’s session cookie. This makes sure, that
 
 This will send additional HTTP security headers to the clients, including:
 
-* `X-XSS-Protection: "1; mode=block"`
+* `X-XSS-Protection: "0"`
 * `X-Permitted-Cross-Domain-Policies: "none"`
 * `X-Frame-Options: "DENY"`
 * `X-Content-Type-Options: "nosniff"`
diff --git a/docs/docs/configuration/i2p.md b/docs/docs/configuration/i2p.md
index fecf66a84..981593366 100644
--- a/docs/docs/configuration/i2p.md
+++ b/docs/docs/configuration/i2p.md
@@ -155,7 +155,7 @@ server {
 
     location / {
 
-        add_header X-XSS-Protection "1; mode=block";
+        add_header X-XSS-Protection "0";
         add_header X-Permitted-Cross-Domain-Policies none;
         add_header X-Frame-Options DENY;
         add_header X-Content-Type-Options nosniff;
diff --git a/docs/docs/configuration/onion_federation.md b/docs/docs/configuration/onion_federation.md
index 499b4a693..9fc1cef06 100644
--- a/docs/docs/configuration/onion_federation.md
+++ b/docs/docs/configuration/onion_federation.md
@@ -99,7 +99,7 @@ server {
 
     location / {
 
-        add_header X-XSS-Protection "1; mode=block";
+        add_header X-XSS-Protection "0";
         add_header X-Permitted-Cross-Domain-Policies none;
         add_header X-Frame-Options DENY;
         add_header X-Content-Type-Options nosniff;
diff --git a/docs/docs/installation/openbsd_en.md b/docs/docs/installation/openbsd_en.md
index 581942f99..2b163df6d 100644
--- a/docs/docs/installation/openbsd_en.md
+++ b/docs/docs/installation/openbsd_en.md
@@ -160,7 +160,7 @@ http protocol plerup { # Protocol for upstream akkoma server
 	match request header append "X-Forwarded-For" value "$REMOTE_ADDR" # This two header and the next one are not strictly required by akkoma but adding them won't hurt
 	match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
 
-	match response header append "X-XSS-Protection" value "1; mode=block"
+	match response header append "X-XSS-Protection" value "0"
 	match response header append "X-Permitted-Cross-Domain-Policies" value "none"
 	match response header append "X-Frame-Options" value "DENY"
 	match response header append "X-Content-Type-Options" value "nosniff"
diff --git a/lib/pleroma/web/plugs/http_security_plug.ex b/lib/pleroma/web/plugs/http_security_plug.ex
index fc2f7b268..5f36b77d1 100644
--- a/lib/pleroma/web/plugs/http_security_plug.ex
+++ b/lib/pleroma/web/plugs/http_security_plug.ex
@@ -42,7 +42,7 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlug do
     custom_http_frontend_headers = custom_http_frontend_headers()
 
     headers = [
-      {"x-xss-protection", "1; mode=block"},
+      {"x-xss-protection", "0"},
       {"x-permitted-cross-domain-policies", "none"},
       {"x-frame-options", "DENY"},
       {"x-content-type-options", "nosniff"},