Jump to content

X-XSS-Protection = 0 (zero) .. IPS default forced setting


不中用

Recommended Posts

X-XSS-Protection is set to 0 (zero) by Output.php ..

Quote

This is so when we post contents with scripts (which is possible in the editor, like when embedding a Twitter tweet) the browser doesn't block it

 

Is this still needed to force/add another header?

Mostly all servers are already configured to set X-XSS-Protection to 1 ..

Now I have this 2x times in my headers ..

 

.

Link to comment
Share on other sites

I'm fairly sure that it is no longer required, because they have switched to iframes instead. I think have previously brought it up with IPS, but I can't remember what their response was (I think probably they either said they'd look into it, or they just didn't see/act on that bit of the message).

Link to comment
Share on other sites

4 hours ago, Marcher Technologies said:

Um, yeah, iframes being posted are flagged as XSS and blocked by that header, regardless of whether they are trusted. I don't think your server should be deciding that header, that is the software's decision based on it's needs.

.

Yes .. like you said " the software's needs " .. But that doesn't mean it has to be switched off all the time and globally .. It's a lazy coding way to avoid a problem ..

And posted everywhere on the net to tidy up server security, for Apache, Nginx and etc .. it's all in the server configuration .. not that PHP have to fiddle with such things all the time ..

 

7 hours ago, Colonel_mortis said:

I'm fairly sure that it is no longer required, because they have switched to iframes instead. I think have previously brought it up with IPS, but I can't remember what their response was (I think probably they either said they'd look into it, or they just didn't see/act on that bit of the message).

.

IPS never advised before to set server configuration without X-XSS-Protection which is very weird if they wanna switch it off (zero) and then server config switched in on (1) again .. having now 2 headers with 0 and 1 setting, which one will give priority ?

And I guess browsers will soon not look at this header anymore to flag a warning, it will be a default setting to have xss protection always on ..

 

.

Link to comment
Share on other sites

13 hours ago, IN10TION said:

And I guess browsers will soon not look at this header anymore to flag a warning, it will be a default setting to have xss protection always on ..

It is on by default in all browsers that support it (Chrome and IE/Edge), but some versions of IE need the header to force them into strict mode. IPS sends the header to disable the protection, because it used to (and may still) cause issues with the editor.

13 hours ago, IN10TION said:

IPS never advised before to set server configuration without X-XSS-Protection which is very weird if they wanna switch it off (zero) and then server config switched in on (1) again .. having now 2 headers with 0 and 1 setting, which one will give priority ?

The last header sent, which is probably the server config's, should take priority I think.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...