Conversation

I'm not sure who needs to hear this but... X-XSS-Protection security header is dead. It's only for backwards compatibility, but recently (2019) vulnerabilities have been discovered and it's been used successfully to attack apps. Use Content Security Policy (CSP) instead. 🌞

108

377

Replying to

A growing number of sites now actively disable the XSS Auditor in their header: crawler.ninja/files/xxp-valu

You’re unable to view this Tweet because this account owner limits who can view their Tweets. Learn more

Replying to

and

The traditional default (1) was unsafe. False positives for regular usage are definitely an issue and I've seen that in practice. An example is if you have a query string where people are searching for strings from C-style languages. Setting it to 0 matches modern browsers.

Replying to

Using `1; mode=block` avoids most of the safety issues (not all) but you still have the issue of false positives if you have a search query string or similar user input. It's a pretty awful hack to be breaking things like that.

Replying to

CSP without unsafe-inline/unsafe-eval and enabling trusted types is the way to go. Don't need to add any code to implement trusted types if you take the approach of avoiding using XSS sinks like innerHTML and instead create DOM nodes programmatically. Can also whitelist though.

6:27 PM · Jan 8, 2021Twitter Web App

Likes