actionpack/test/controller/metal_test.rb · fb25f3ef2be5181c98a713a25503d9ed2e0454dc · Rails relative code / rails-deleted-2

Sep 14, 2021

Change default X-XSS-Protection header to '0' · 1f4714c3

Christian Sutter authored Sep 14, 2021

This header has been deprecated and the XSS auditor it triggered
has been removed from all major modern browsers (in favour of
Content Security Policy) that implemented this header to begin with
(Firefox never did).

[OWASP](https://owasp.org/www-project-secure-headers/#x-xss-protection)
suggests setting this header to '0' to disable the default behaviour
on old browsers as it can introduce additional security issues.

Added the new behaviour as a framework default from Rails 7.0.

1f4714c3

Change default X-XSS-Protection header to '0'

Christian Sutter authored Sep 14, 2021

This header has been deprecated and the XSS auditor it triggered
has been removed from all major modern browsers (in favour of
Content Security Policy) that implemented this header to begin with
(Firefox never did).

[OWASP](https://owasp.org/www-project-secure-headers/#x-xss-protection)
suggests setting this header to '0' to disable the default behaviour
on old browsers as it can introduce additional security issues.

Added the new behaviour as a framework default from Rails 7.0.