X-XSS-Protection is obsolete / deprecated and should be removed

Question

X-XSS-Protection is obsolete / deprecated and should be removed

DanielRuf opened this issue 2 years ago · comments

Describe the bug
X-XSS-Protection is obsolete for a few years now and not supported by browsers anymore. This header will do nothing and at least caused privacy and security issues in the past.

To Reproduce

Expected behavior
Remove the X-XSS-Protection header.

Additional context
See also:
https://caniuse.com/mdn-http_headers_x-xss-protection
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

Daniel Ruf · Answer 1 · Sat Apr 02 2022 17:45:08 GMT+0800 (China Standard Time)

Done at https://github.com/wp-cli-secure/wp-cli-secure-command (https://github.com/wp-cli-secure/wp-cli-secure-command/commit/bc9573664abec35389688fc326ae2c45b629a449).

Igor Hrček · Answer 2 · Tue Apr 05 2022 19:24:32 GMT+0800 (China Standard Time)

Agreed, this should be handled by CSP policy.

Igor Hrček · Answer 3 · Tue Apr 05 2022 19:25:13 GMT+0800 (China Standard Time)

🎉 This issue has been resolved in version 1.17.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀